Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562672
MD5:	55181cf50afa00196c7cbd00013e03a6
SHA1:	a5ac8deef254c7ff3580a6e8149638df870c192e
SHA256:	c29a9fb9427a83ccdbb4120d82f5808877fcc4fff3443779c334483d47a2d78a
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 6132 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 55181CF50AFA00196C7CBD00013E03A6)

taskkill.exe (PID: 6708 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 4340 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7236 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7348 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7412 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7476 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7508 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7524 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7772 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e90d6c24-d50b-4b75-8f35-614cb58272e1} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4df26df10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7424 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4008 -parentBuildID 20230927232528 -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {029f5e9b-d31f-417f-878f-f26b29793504} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4f11e8b10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8040 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4916 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43d47f84-ba1a-4e37-9bbb-53b6fefaa308} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4f01beb10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1311074384.00000000012E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000003.1247421229.00000000012E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 6132	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0072EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0072EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0072ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0072EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0071AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00749576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00749576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cc5a65a8-c
Source: file.exe, 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b21d8fc3-1
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a300c9f7-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_93360b85-b

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000016907232377 NtQuerySystemInformation,		23_2_0000016907232377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000016907256272 NtQuerySystemInformation,		23_2_0000016907256272

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0071D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00711201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00711201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0071E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006BBF40	0_2_006BBF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B8060	0_2_006B8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00722046	0_2_00722046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00718298	0_2_00718298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EE4FF	0_2_006EE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E676B	0_2_006E676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00744873	0_2_00744873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006BCAF0	0_2_006BCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006DCAA0	0_2_006DCAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CCC39	0_2_006CCC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E6DD9	0_2_006E6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CB119	0_2_006CB119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B91C0	0_2_006B91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D1394	0_2_006D1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D1706	0_2_006D1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D781B	0_2_006D781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C997D	0_2_006C997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B7920	0_2_006B7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D19B0	0_2_006D19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D7A4A	0_2_006D7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D1C77	0_2_006D1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D7CA7	0_2_006D7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0073BE44	0_2_0073BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E9EEE	0_2_006E9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D1F32	0_2_006D1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000016907232377	23_2_0000016907232377
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_0000016907256272	23_2_0000016907256272
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_00000169072562B2	23_2_00000169072562B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 23_2_000001690725699C	23_2_000001690725699C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006D0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006CF9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 006B9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/38@90/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007237B5 GetLastError,FormatMessageW,

0_2_007237B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007110BF AdjustTokenPrivileges,CloseHandle,		0_2_007110BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007116C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_007116C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007251CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007251CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0071D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0072648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006B42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1428830081.000001B4FA8EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379065109.000001B4FA8EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000013.00000003.1428830081.000001B4FA8EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379065109.000001B4FA8EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e90d6c24-d50b-4b75-8f35-614cb58272e1} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4df26df10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4008 -parentBuildID 20230927232528 -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {029f5e9b-d31f-417f-878f-f26b29793504} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4f11e8b10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4916 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43d47f84-ba1a-4e37-9bbb-53b6fefaa308} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4f01beb10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e90d6c24-d50b-4b75-8f35-614cb58272e1} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4df26df10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4008 -parentBuildID 20230927232528 -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {029f5e9b-d31f-417f-878f-f26b29793504} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4f11e8b10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4916 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43d47f84-ba1a-4e37-9bbb-53b6fefaa308} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4f01beb10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 00000013.00000003.1374641384.000001B4FB85D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.19.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 00000013.00000003.1439579300.000001B4EEA37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 00000013.00000003.1439579300.000001B4EEA37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 00000013.00000003.1437055769.000001B4EEA2D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.19.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 00000013.00000003.1374641384.000001B4FB85D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 00000013.00000003.1437055769.000001B4EEA2D000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006B42DE

Source: gmpopenh264.dll.tmp.19.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D0A76 push ecx; ret

0_2_006D0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006CF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_006CF98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00741C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00741C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-95572

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_0000016907232377 rdtsc

23_2_0000016907232377

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0071DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006EC2A2 FindFirstFileExW,	0_2_006EC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007268EE FindFirstFileW,FindClose,	0_2_007268EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0072698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0071D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0071D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0071D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00729642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00729642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0072979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0072979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00729B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00729B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00725C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00725C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006B42DE

Source: firefox.exe, 00000017.00000002.3110380984.00000169070F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln_
Source: firefox.exe, 00000019.00000002.3110188865.0000025B74530000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*
Source: firefox.exe, 00000015.00000002.3111394021.0000023341E00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3105271807.000002334195A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000015.00000002.3111394021.0000023341E00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: firefox.exe, 00000015.00000002.3110577428.0000023341D16000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000019.00000002.3104110816.0000025B741CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,St[
Source: firefox.exe, 00000017.00000002.3110380984.00000169070F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWj
Source: firefox.exe, 00000017.00000002.3102963467.000001690684A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 00000015.00000002.3111394021.0000023341E00000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3110380984.00000169070F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 23_2_0000016907232377 rdtsc

23_2_0000016907232377

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0072EAA2 BlockInput,

0_2_0072EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_006E2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006B42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D4CE8 mov eax, dword ptr fs:[00000030h]

0_2_006D4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00710B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00710B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006E2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006E2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_006D083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D09D5 SetUnhandledExceptionFilter,	0_2_006D09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006D0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_006D0C21

Source: C:\Users\user\Desktop\file.exe

0_2_00711201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006F2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_006F2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0071B226 SendInput,keybd_event,

0_2_0071B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007322DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007322DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00710B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00711663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00711663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 00000013.00000003.1377501155.000001B4FB801000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006D0698 cpuid

0_2_006D0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00728195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00728195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0070D27A GetUserNameW,

0_2_0070D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006EB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_006EB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006B42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1311074384.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1247421229.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1311074384.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1247421229.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6132, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00731204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00731806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00731806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.129	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.65.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.46	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000013.00000003.1467343655.000001B4F27CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3105187450.0000016906BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3106403772.0000025B744C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 00000013.00000003.1454109155.000001B4F18FE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000013.00000003.1429580174.000001B4FA78C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.19.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000013.00000003.1322115424.000001B4F6F2C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000019.00000002.3106403772.0000025B7448F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000013.00000003.1471677446.000001B4F6EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1430235678.000001B4F6EBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1466658535.000001B4F6EBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1452002748.000001B4F6EBC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 00000013.00000003.1478540212.000001B4F73B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449678180.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324958412.000001B4F0C74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324230619.000001B4F73D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324359723.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1470627018.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000013.00000003.1449387487.000001B4F73D3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 00000013.00000003.1389138372.000001B4F06CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 00000013.00000003.1456096433.000001B4F06CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1389138372.000001B4F06CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1477293476.000001B4F06D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000013.00000003.1297207124.000001B4EEC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297699244.000001B4EEE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297833179.000001B4EEE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297552926.000001B4EEE40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297335300.000001B4EEE21000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000013.00000003.1480235008.000001B4F016F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1476366646.000001B4F0AC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1476366646.000001B4F0A9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1457813555.000001B4F016F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000013.00000003.1477700095.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469470354.000001B4FA85D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000013.00000003.1449864467.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471148734.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379616977.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429807463.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000013.00000003.1297207124.000001B4EEC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297699244.000001B4EEE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297833179.000001B4EEE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297552926.000001B4EEE40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1459039352.000001B4EFF99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1485491546.000001B4EFF93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297335300.000001B4EEE21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1404696069.000001B4F02FC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1481113006.000001B4EFF92000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 00000013.00000003.1380826919.000001B4F253B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000013.00000003.1297207124.000001B4EEC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297699244.000001B4EEE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297552926.000001B4EEE40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1297335300.000001B4EEE21000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 00000013.00000003.1327334925.000001B4EFE75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 00000013.00000003.1453200818.000001B4F2585000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000013.00000003.1486233885.000001B4EFDD5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000013.00000003.1471677446.000001B4F6EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1430235678.000001B4F6EBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1466658535.000001B4F6EBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1452002748.000001B4F6EBC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 00000013.00000003.1470147484.000001B4F7467000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000013.00000003.1449211244.000001B4FA7CD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 00000013.00000003.1429807463.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449387487.000001B4F73D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478252744.000001B4F7444000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000013.00000003.1449864467.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471148734.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379616977.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429807463.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000019.00000002.3106403772.0000025B7440C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=htQ	firefox.exe, 00000015.00000002.3105904705.00000233419C0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000013.00000003.1339605784.000001B4EFB0D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1338345343.000001B4EF996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1340754567.000001B4EFB0F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 00000013.00000003.1478540212.000001B4F73B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449678180.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324230619.000001B4F73D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324359723.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1470627018.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000013.00000003.1379555009.000001B4FA7F3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000013.00000003.1466120975.000001B4F7294000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1467343655.000001B4F27CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3105187450.0000016906BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3106403772.0000025B744C4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000013.00000003.1338404164.000001B4EF97B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1339699555.000001B4EF9B4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000013.00000003.1435100228.000001B4F0086000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000013.00000003.1455597459.000001B4F188B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=htA	firefox.exe, 00000017.00000002.3110035190.0000016906C80000.00000004.00000020.00020000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000013.00000003.1480235008.000001B4F016F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1476366646.000001B4F0AC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1457813555.000001B4F016F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.19.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 00000013.00000003.1477293476.000001B4F06D4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000015.00000002.3106807146.0000023341BEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3105187450.0000016906BEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3110383616.0000025B74703000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.19.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000013.00000003.1429807463.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000013.00000003.1449387487.000001B4F73D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3105187450.0000016906B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3106403772.0000025B74413000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 00000013.00000003.1478540212.000001B4F73B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449678180.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324230619.000001B4F73D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324359723.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1470627018.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.19.dr	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/	firefox.exe, 00000013.00000003.1389138372.000001B4F06CC000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/CN=The	firefox.exe, 00000019.00000002.3106403772.0000025B74413000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 00000013.00000003.1338404164.000001B4EF97B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1339699555.000001B4EF9B4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000013.00000003.1337394772.000001B4EF9CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1436133880.000001B4F0081000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1394424864.000001B4EF9B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1401852571.000001B4F0080000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1461255806.000001B4F27E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1456837903.000001B4F051E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1331935268.000001B4F029E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1343750121.000001B4EF9C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1461460754.000001B4F18E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1392218867.000001B4EFBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1455597459.000001B4F18E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1405620334.000001B4EFBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1420264277.000001B4EF9C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1437022484.000001B4EFBBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1381846276.000001B4F24C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1405255320.000001B4F0080000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1384394588.000001B4F13B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1320591572.000001B4F6F84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475071556.000001B4F18E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1418381222.000001B4EF9B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1435100228.000001B4F0086000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 00000013.00000003.1380826919.000001B4F253B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 00000013.00000003.1380826919.000001B4F253B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.19.dr	false	high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 00000013.00000003.1327138008.000001B4F71F3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.zhihu.com/	firefox.exe, 00000013.00000003.1380509886.000001B4F2ADE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324359723.000001B4F73B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1467118404.000001B4F2AE6000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 00000013.00000003.1379616977.000001B4F70C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379952714.000001B4F7054000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471148734.000001B4F70CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449864467.000001B4F70C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429807463.000001B4F70C8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 00000013.00000003.1379616977.000001B4F70C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379952714.000001B4F7054000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471148734.000001B4F70CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449864467.000001B4F70C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429807463.000001B4F70C8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000013.00000003.1322115424.000001B4F6F2C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 00000013.00000003.1449864467.000001B4F70D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471148734.000001B4F70D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429807463.000001B4F70D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379616977.000001B4F70D5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema	firefox.exe, 00000013.00000003.1470317198.000001B4F73D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324958412.000001B4F0C74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478455118.000001B4F73DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1449387487.000001B4F73D3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000013.00000003.1449864467.000001B4F70D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1471148734.000001B4F70D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429807463.000001B4F70D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379616977.000001B4F70D5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 00000013.00000003.1383517271.000001B4F18F2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000013.00000003.1298865213.000001B4EE633000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 00000013.00000003.1338404164.000001B4EF97B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1339699555.000001B4EF9B4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 00000013.00000003.1485773472.000001B4EFF57000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000013.00000003.1466658535.000001B4F6E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1430235678.000001B4F6E81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1452002748.000001B4F6E81000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000013.00000003.1338564000.000001B4EF9A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1338377834.000001B4EF988000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1338345343.000001B4EF996000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1338404164.000001B4EF96D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1339699555.000001B4EF9B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1339552923.000001B4EFB1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1340815347.000001B4EFB05000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000013.00000003.1298865213.000001B4EE633000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000013.00000003.1379555009.000001B4FA7F3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000013.00000003.1472794747.000001B4F2786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.3110267000.0000023341C40000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3110538525.00000169071F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3105832220.0000025B742A0000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.65.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562672
Start date and time:	2024-11-25 21:33:32 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/38@90/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 313
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.27.142.243, 52.32.237.164, 34.209.229.249, 172.217.19.202, 172.217.17.42, 172.217.17.78, 88.221.134.209, 88.221.134.155, 172.217.17.46
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.65.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://www.urbanerecycling.com	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	34.174.208.6
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	https://invites-doc.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	http://www.thecrownstate.co.uk/	Get hash	malicious	Unknown	Browse	151.101.192.176
	https://sites.google.com/ceqy.com/rfp/home	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://yancesybros.com/WHF9842BVD.html	Get hash	malicious	Unknown	Browse	151.101.194.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	_Rmcgaughy_Sonicwall inc._Financial...2024-jxj9FL.svg	Get hash	malicious	Unknown	Browse	199.232.196.193
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	http://www.urbanerecycling.com	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	34.174.208.6
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.65.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dffbd27d-ffd0-41c5-b906-1a25fbf1be66.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.174751106241444
Encrypted:	false
SSDEEP:	192:IMvMXP7scbhbVbTbfbRbObtbyEl7n4rNJA6unSrDtTkd/S9f:IFwcNhnzFSJYrI1nSrDhkd/cf
MD5:	BA3414F4E3A5B158B6B248CD7A97A5AD
SHA1:	CC847CC22FCCDDFC0725F7C39E660383DED6F9DF
SHA-256:	17AD379E3F0CA4C3D2DB07B7AAB8D47C91CA68C3EBDCCFFDB344BBD117F2D4E0
SHA-512:	837D6604E62F753FD9AEC65E6EEBD11ADE5C75BB9A08C6CBC53DC1695215D9EAB0AC9A9C0C9A301A0F6523FD67D4A67FAF14409B53181E0842E71B8E0CA1B558
Malicious:	false
Preview:	{"type":"uninstall","id":"dffbd27d-ffd0-41c5-b906-1a25fbf1be66","creationDate":"2024-11-25T22:28:53.914Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dffbd27d-ffd0-41c5-b906-1a25fbf1be66.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.174751106241444
Encrypted:	false
SSDEEP:	192:IMvMXP7scbhbVbTbfbRbObtbyEl7n4rNJA6unSrDtTkd/S9f:IFwcNhnzFSJYrI1nSrDhkd/cf
MD5:	BA3414F4E3A5B158B6B248CD7A97A5AD
SHA1:	CC847CC22FCCDDFC0725F7C39E660383DED6F9DF
SHA-256:	17AD379E3F0CA4C3D2DB07B7AAB8D47C91CA68C3EBDCCFFDB344BBD117F2D4E0
SHA-512:	837D6604E62F753FD9AEC65E6EEBD11ADE5C75BB9A08C6CBC53DC1695215D9EAB0AC9A9C0C9A301A0F6523FD67D4A67FAF14409B53181E0842E71B8E0CA1B558
Malicious:	false
Preview:	{"type":"uninstall","id":"dffbd27d-ffd0-41c5-b906-1a25fbf1be66","creationDate":"2024-11-25T22:28:53.914Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.313260333815303
Encrypted:	false
SSDEEP:	48:3d2m3UgdwtAzhd2mx6Bdwt4fd2mxadwt61:rEwxFsx1k
MD5:	0630374DFF6153F34FD46415A1931634
SHA1:	BD9AB34CCFF581FE4A5C367FFC5050A1D68F70A2
SHA-256:	B47E8F67F5A9E069C17AFD1FEF446E3C638993DA6B14B298877EBB620A9F3BE0
SHA-512:	559CD638B1E0BD82ACB56FF3A4B2C1537EE10842CDFB1DDCE3B659E1AC4F0B833C89376B2A18DDCA9D3900710C8576740C86EC47667E58CCD4D3D7DE54CC6881
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......\|.+sy?..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.=..PROGRA~1..t......O.IyY......B...............J.......z.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WyY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WyYP...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............@Mq.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312624406080011
Encrypted:	false
SSDEEP:	48:3dim3UgdwtAzhd2mx6Bdwt4fd2mxadwt61:bEwxFsx1k
MD5:	14ACF2C8729E1C07E7243EAAE48B4F80
SHA1:	5A3FBC9A2E696182E7DAB81857923E53971DCACC
SHA-256:	E1C717E3CAF02D30208103CDDDB3236A96A6BD9761D91989E677317B4B74AC4E
SHA-512:	1EE09F65231D679A5275259904C6C4C8D7C8CD6C9488F5C19B7D0E73A0AD5993BF5CE07DFA839004832B9E05A1BCAC60E99BD81D66592457B662A5B431859B73
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......\|.+sy?..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.=..PROGRA~1..t......O.IyY......B...............J.......z.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WyYP.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WyYP...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............@Mq.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9GMPOC7MVGD0Z2FOIK2A.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.313260333815303
Encrypted:	false
SSDEEP:	48:3d2m3UgdwtAzhd2mx6Bdwt4fd2mxadwt61:rEwxFsx1k
MD5:	0630374DFF6153F34FD46415A1931634
SHA1:	BD9AB34CCFF581FE4A5C367FFC5050A1D68F70A2
SHA-256:	B47E8F67F5A9E069C17AFD1FEF446E3C638993DA6B14B298877EBB620A9F3BE0
SHA-512:	559CD638B1E0BD82ACB56FF3A4B2C1537EE10842CDFB1DDCE3B659E1AC4F0B833C89376B2A18DDCA9D3900710C8576740C86EC47667E58CCD4D3D7DE54CC6881
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......\|.+sy?..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.=..PROGRA~1..t......O.IyY......B...............J.......z.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WyY..............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WyYP...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............@Mq.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PUI2JXKGHBW0QKK9KTWH.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	modified
Size (bytes):	5488
Entropy (8bit):	3.312624406080011
Encrypted:	false
SSDEEP:	48:3dim3UgdwtAzhd2mx6Bdwt4fd2mxadwt61:bEwxFsx1k
MD5:	14ACF2C8729E1C07E7243EAAE48B4F80
SHA1:	5A3FBC9A2E696182E7DAB81857923E53971DCACC
SHA-256:	E1C717E3CAF02D30208103CDDDB3236A96A6BD9761D91989E677317B4B74AC4E
SHA-512:	1EE09F65231D679A5275259904C6C4C8D7C8CD6C9488F5C19B7D0E73A0AD5993BF5CE07DFA839004832B9E05A1BCAC60E99BD81D66592457B662A5B431859B73
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.......\|.+sy?..........S...........................P.O. .:i.....+00.../C:\.....................1.....EW.=..PROGRA~1..t......O.IyY......B...............J.......z.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}WyYP.............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}WyYP...............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............@Mq.....C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.940671064881734
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLGY8P:8S+Oc+UAOdwiOdKeQjDLGY8P
MD5:	CA99E5F4C3EB17FF4D7D4D91B3AEC213
SHA1:	7E89E7C0B27A24D8498A0765180165A3BBEAEB44
SHA-256:	EE34AAA4AA05368A5B11C93E505FE6798DC7D45D83E50C02595DE4E61135245A
SHA-512:	F2B234A6C261B19098D622CB83488543359287AF9179CDE112CE12ADA89A0758B49EF680076AEE71F8369067B670F2AD24A611572F5E82138913870A57DA8809
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.940671064881734
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLGY8P:8S+Oc+UAOdwiOdKeQjDLGY8P
MD5:	CA99E5F4C3EB17FF4D7D4D91B3AEC213
SHA1:	7E89E7C0B27A24D8498A0765180165A3BBEAEB44
SHA-256:	EE34AAA4AA05368A5B11C93E505FE6798DC7D45D83E50C02595DE4E61135245A
SHA-512:	F2B234A6C261B19098D622CB83488543359287AF9179CDE112CE12ADA89A0758B49EF680076AEE71F8369067B670F2AD24A611572F5E82138913870A57DA8809
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07326828900706268
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkii:DLhesh7Owd4+jii
MD5:	A9E8A8FEF67BA92C53651CE1063E1ECB
SHA1:	09609B0224F9061A0025712A514F099B838F362C
SHA-256:	9797A46FFBB5D0001A04F59DAA22E2E2D33F621326CB5F4B19FDFF9D92573AEA
SHA-512:	B72F1A7BD8C216A0F10B47454B4EFE01490C185CABB0412C9B8F3599095302E46E36BD7E67DB9695D3E6AEDB203368A2EE0AAE5839D841D570EBFA5537574FB3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039545238451853294
Encrypted:	false
SSDEEP:	3:GHlhVis6BXSAM3OA4ldlhVis6BXSAM3OYSl8a9//Ylll4llqlyllel4lt:G7Vis6BS3OjhVis6BS3O/L9XIwlio
MD5:	26DA4A0B65F22BD40894CD4B6893B3F6
SHA1:	C7ABA8E7A467889C82A633571EE972ED9F90CA29
SHA-256:	BE774EC4F95E291D2494A4280B425D868CF64FE9017641BFF59FD4BF06E4928E
SHA-512:	9F58AAE3D2B313876474B4E23F0305496995CE1AC511D6E8CD7D60C489311B2A9673640692BE500CFFB2BDF4F2D4A6BCB80D029A99ECD56788379BF04020B2B8
Malicious:	false
Preview:	..-.........................-$...>.V............-.........................-$...>.V..................................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11479386700749489
Encrypted:	false
SSDEEP:	24:KxGfkzLxsZ+rZxsMl+4UC0yWUCiYCCQE/5SKCwCfxsad2H5DwldVVZ2i7+:WGMRQEJxHWsYSHVi50vDZk
MD5:	485C68A0F8B1C01933F64E1AE03106EF
SHA1:	8E311577B27D334667A0D8E5B792107D11844DD1
SHA-256:	E3EDCAE0337A85F79C5E910081CAC1EBDDE75C280C366C691DEA5D8928721B9F
SHA-512:	5199132192DC20607DB5C93743F47F3964BDEF8978DF70F9CF860F3CC050F90B25BFD177025F84F417C9C18ADCFFB6D108C7AFBE6A9557925E0B667339ACD475
Malicious:	false
Preview:	7....-...........>.V....................>.V.....P&.F&.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.4782506430718305
Encrypted:	false
SSDEEP:	192:l/nSRkyYbBp68qUCaXK6VaqNe75RHNBw8dVnSl:EePqU50mgPwO0
MD5:	FD2D429BAB903A72F76B494ED90F73D9
SHA1:	DEA3DE8EF131893B37B92358836A7031D22D352E
SHA-256:	F50EB244C7C557FC29D5BE88D39C74A234F3C8C8403AD44586E27ED521751CD2
SHA-512:	784EA10EA80ECED599135655B8D81B5D769F1A024BF2E26DAD7CE58359BE022A3BBA6999C8D949E5BD26A95DDE9CD8B23D6195CCEAF4FDA4DE54312DF86BE517
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732573704);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732573704);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732573704);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173257

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.4782506430718305
Encrypted:	false
SSDEEP:	192:l/nSRkyYbBp68qUCaXK6VaqNe75RHNBw8dVnSl:EePqU50mgPwO0
MD5:	FD2D429BAB903A72F76B494ED90F73D9
SHA1:	DEA3DE8EF131893B37B92358836A7031D22D352E
SHA-256:	F50EB244C7C557FC29D5BE88D39C74A234F3C8C8403AD44586E27ED521751CD2
SHA-512:	784EA10EA80ECED599135655B8D81B5D769F1A024BF2E26DAD7CE58359BE022A3BBA6999C8D949E5BD26A95DDE9CD8B23D6195CCEAF4FDA4DE54312DF86BE517
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732573704);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732573704);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732573704);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173257

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.333055241937202
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMBZLXnIgB/pnxQwRlszT5sKhi0/a3eHVVPNZTcTamhuj3pOOcUb2d:GUpOxBZDnR6Ba3etZTW45edHd
MD5:	C636795C03BA9BED95F528AE48B3F214
SHA1:	CD652CBE76016547CEF8CEBDEF9E388EE2AFC52A
SHA-256:	BFF17B3121D634E7A00EAFA31BC941E1050F1625A098D479B797C12EE46FAAD6
SHA-512:	E5CCFB88997DE39C6DAACB811356BB23792A66B283013CB65CF42A4ED2768B076C46C02DE073A643B82DF914B15408B082A7DB15006B223D594D560ADA033FF5
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4d7d3443-f18b-4bae-980b-8226ae657872}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732573707947,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate...8,"startTim..`673213...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....677546,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.333055241937202
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMBZLXnIgB/pnxQwRlszT5sKhi0/a3eHVVPNZTcTamhuj3pOOcUb2d:GUpOxBZDnR6Ba3etZTW45edHd
MD5:	C636795C03BA9BED95F528AE48B3F214
SHA1:	CD652CBE76016547CEF8CEBDEF9E388EE2AFC52A
SHA-256:	BFF17B3121D634E7A00EAFA31BC941E1050F1625A098D479B797C12EE46FAAD6
SHA-512:	E5CCFB88997DE39C6DAACB811356BB23792A66B283013CB65CF42A4ED2768B076C46C02DE073A643B82DF914B15408B082A7DB15006B223D594D560ADA033FF5
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4d7d3443-f18b-4bae-980b-8226ae657872}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732573707947,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate...8,"startTim..`673213...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....677546,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.333055241937202
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMBZLXnIgB/pnxQwRlszT5sKhi0/a3eHVVPNZTcTamhuj3pOOcUb2d:GUpOxBZDnR6Ba3etZTW45edHd
MD5:	C636795C03BA9BED95F528AE48B3F214
SHA1:	CD652CBE76016547CEF8CEBDEF9E388EE2AFC52A
SHA-256:	BFF17B3121D634E7A00EAFA31BC941E1050F1625A098D479B797C12EE46FAAD6
SHA-512:	E5CCFB88997DE39C6DAACB811356BB23792A66B283013CB65CF42A4ED2768B076C46C02DE073A643B82DF914B15408B082A7DB15006B223D594D560ADA033FF5
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4d7d3443-f18b-4bae-980b-8226ae657872}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732573707947,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate...8,"startTim..`673213...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....677546,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.03583247366072
Encrypted:	false
SSDEEP:	48:YrSAYeeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:yce+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	C3A1A21787611964FA9B0E51F8228080
SHA1:	2CAEA2A9228690265DD666A72DF3907B3058C16E
SHA-256:	20E9AB0FA45AD2F56D5A98265FF2B99B7B7D1256AA69DDDF715E952FA1DFEE55
SHA-512:	594760E16DA11BB269536896A050DC761B24D43C05CD4D3D9911D68292120623B30A180E3EC19EAD8E9EBF69F4D9262319A722019AD041FBE1B28228DCC2C95D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T22:28:08.062Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.03583247366072
Encrypted:	false
SSDEEP:	48:YrSAYeeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAcb5:yce+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	C3A1A21787611964FA9B0E51F8228080
SHA1:	2CAEA2A9228690265DD666A72DF3907B3058C16E
SHA-256:	20E9AB0FA45AD2F56D5A98265FF2B99B7B7D1256AA69DDDF715E952FA1DFEE55
SHA-512:	594760E16DA11BB269536896A050DC761B24D43C05CD4D3D9911D68292120623B30A180E3EC19EAD8E9EBF69F4D9262319A722019AD041FBE1B28228DCC2C95D
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-25T22:28:08.062Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591493104804472
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	55181cf50afa00196c7cbd00013e03a6
SHA1:	a5ac8deef254c7ff3580a6e8149638df870c192e
SHA256:	c29a9fb9427a83ccdbb4120d82f5808877fcc4fff3443779c334483d47a2d78a
SHA512:	20036cd1bce83e348943dc56e2ea66ba4f8d991b658d4cb2f3d321f48f0d57e129ada331e4db4d7b32051158292d0f4ce0b73b9611bea65d9abfe4b58f6f8d61
SSDEEP:	12288:WqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaoTo:WqDEvCTbMWu7rQYlBQcBiT6rprG8awo
TLSH:	49159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6744DA14 [Mon Nov 25 20:12:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE440873F73h
jmp 00007FE44087387Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE440873A5Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE440873A2Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE44087661Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE440876668h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE440876651h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa7e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa7e8	0xa800	e5e0e426a3c68a56fc5395b65c9542aa	False	0.37023344494047616	data	5.611237545409429	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1aae	data			1.001610541727672
RT_GROUP_ICON	0xde268	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde2e0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde2f4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde308	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde31c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde3f8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 21:34:35.086986065 CET	49708	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:34:35.087028027 CET	443	49708	35.190.72.216	192.168.2.7
Nov 25, 2024 21:34:35.088131905 CET	49709	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:35.088191032 CET	443	49709	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:35.088404894 CET	49710	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:35.088455915 CET	443	49710	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:35.089355946 CET	49711	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:35.100382090 CET	49708	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:34:35.100389957 CET	49709	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:35.100399017 CET	49710	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:35.105055094 CET	49708	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:34:35.105070114 CET	443	49708	35.190.72.216	192.168.2.7
Nov 25, 2024 21:34:35.106477976 CET	49709	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:35.106515884 CET	443	49709	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:35.110280037 CET	49710	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:35.110296011 CET	443	49710	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:35.209321022 CET	80	49711	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:35.209403038 CET	49711	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:35.209673882 CET	49711	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:35.330005884 CET	80	49711	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:35.523094893 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:35.523135900 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:35.525824070 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:35.526083946 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:35.526101112 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:35.526726961 CET	49713	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:35.526736021 CET	443	49713	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:35.527270079 CET	49713	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:35.528933048 CET	49713	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:35.528945923 CET	443	49713	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:35.546921015 CET	49714	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:35.546957016 CET	443	49714	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:35.547040939 CET	49714	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:35.548367977 CET	49714	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:35.548379898 CET	443	49714	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.295902014 CET	80	49711	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:36.296251059 CET	49711	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:36.355303049 CET	49715	443	192.168.2.7	34.160.144.191
Nov 25, 2024 21:34:36.355329037 CET	443	49715	34.160.144.191	192.168.2.7
Nov 25, 2024 21:34:36.362955093 CET	49715	443	192.168.2.7	34.160.144.191
Nov 25, 2024 21:34:36.363105059 CET	49715	443	192.168.2.7	34.160.144.191
Nov 25, 2024 21:34:36.363117933 CET	443	49715	34.160.144.191	192.168.2.7
Nov 25, 2024 21:34:36.373585939 CET	443	49708	35.190.72.216	192.168.2.7
Nov 25, 2024 21:34:36.373605967 CET	443	49708	35.190.72.216	192.168.2.7
Nov 25, 2024 21:34:36.384649038 CET	49708	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:34:36.407728910 CET	49708	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:34:36.407748938 CET	443	49708	35.190.72.216	192.168.2.7
Nov 25, 2024 21:34:36.407838106 CET	49708	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:34:36.408066988 CET	443	49708	35.190.72.216	192.168.2.7
Nov 25, 2024 21:34:36.408211946 CET	49708	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:34:36.417171955 CET	80	49711	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:36.417294025 CET	49711	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:36.543356895 CET	49716	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:36.668298006 CET	80	49716	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:36.669858932 CET	49716	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:36.670331001 CET	49716	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:36.752736092 CET	443	49713	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.752829075 CET	49713	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.758315086 CET	49713	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.758315086 CET	49713	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.758325100 CET	443	49713	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.758542061 CET	443	49713	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.758677006 CET	49713	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.767668009 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:36.791649103 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:36.795380116 CET	80	49716	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:36.797674894 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:36.801105976 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:36.801110983 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:36.801666975 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:36.804019928 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:36.804117918 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:36.804214001 CET	443	49712	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:36.805258036 CET	49712	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:36.817189932 CET	443	49709	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.817203999 CET	443	49709	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.817785025 CET	443	49709	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.819530010 CET	443	49714	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.831334114 CET	443	49714	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.832001925 CET	49714	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.832021952 CET	49709	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:36.832051992 CET	443	49709	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.842004061 CET	49709	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:36.842041016 CET	443	49709	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.842125893 CET	49709	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:36.842183113 CET	443	49709	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.844535112 CET	49714	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.844556093 CET	443	49714	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.844630003 CET	49714	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.844805002 CET	443	49714	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.848586082 CET	443	49710	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.848601103 CET	443	49710	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.849313974 CET	443	49710	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.852283001 CET	49709	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:36.852338076 CET	49714	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.852751017 CET	49710	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:36.852768898 CET	443	49710	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.854777098 CET	49710	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:36.860162020 CET	49710	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:36.860167027 CET	443	49710	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.860255957 CET	49710	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:36.860336065 CET	443	49710	142.250.181.142	192.168.2.7
Nov 25, 2024 21:34:36.862751007 CET	49710	443	192.168.2.7	142.250.181.142
Nov 25, 2024 21:34:36.873783112 CET	49718	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.873817921 CET	443	49718	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.874757051 CET	49718	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.876053095 CET	49718	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:36.876080990 CET	443	49718	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:36.887816906 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:36.887943983 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:36.888072014 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:37.008037090 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:37.503118038 CET	49722	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:37.503159046 CET	443	49722	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:37.503360033 CET	49722	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:37.505074978 CET	49722	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:37.505104065 CET	443	49722	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:37.637710094 CET	443	49715	34.160.144.191	192.168.2.7
Nov 25, 2024 21:34:37.637728930 CET	443	49715	34.160.144.191	192.168.2.7
Nov 25, 2024 21:34:37.637821913 CET	49715	443	192.168.2.7	34.160.144.191
Nov 25, 2024 21:34:37.640974998 CET	49715	443	192.168.2.7	34.160.144.191
Nov 25, 2024 21:34:37.640980959 CET	443	49715	34.160.144.191	192.168.2.7
Nov 25, 2024 21:34:37.641289949 CET	443	49715	34.160.144.191	192.168.2.7
Nov 25, 2024 21:34:37.643543959 CET	49715	443	192.168.2.7	34.160.144.191
Nov 25, 2024 21:34:37.643619061 CET	49715	443	192.168.2.7	34.160.144.191
Nov 25, 2024 21:34:37.643760920 CET	443	49715	34.160.144.191	192.168.2.7
Nov 25, 2024 21:34:37.644958019 CET	49715	443	192.168.2.7	34.160.144.191
Nov 25, 2024 21:34:37.821914911 CET	80	49716	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:37.822223902 CET	49716	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:37.943525076 CET	80	49716	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:37.943598032 CET	49716	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:38.021459103 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:38.073808908 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:38.196156025 CET	443	49718	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:38.196399927 CET	49718	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:38.200680017 CET	49718	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:38.200701952 CET	443	49718	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:38.200782061 CET	49718	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:38.200896978 CET	443	49718	34.117.188.166	192.168.2.7
Nov 25, 2024 21:34:38.200959921 CET	49718	443	192.168.2.7	34.117.188.166
Nov 25, 2024 21:34:38.719433069 CET	443	49722	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:38.720268011 CET	49722	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:38.724797010 CET	49722	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:38.724823952 CET	443	49722	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:38.724874020 CET	49722	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:38.725018024 CET	443	49722	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:38.725323915 CET	49722	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:39.840302944 CET	49724	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:39.912599087 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:39.960280895 CET	80	49724	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:39.961971998 CET	49724	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:40.033021927 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:40.080212116 CET	49725	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:40.080264091 CET	443	49725	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:40.081039906 CET	49726	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:40.081068993 CET	443	49726	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:40.081429958 CET	49726	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:40.081430912 CET	49725	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:40.082871914 CET	49725	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:40.082887888 CET	443	49725	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:40.084389925 CET	49726	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:40.084404945 CET	443	49726	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:40.124413013 CET	49727	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:40.153702974 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:40.153739929 CET	443	49728	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:40.153980017 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:40.154098988 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:40.154110909 CET	443	49728	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:40.237437010 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:40.242682934 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:40.244410038 CET	80	49727	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:40.251362085 CET	49727	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:40.291872025 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:40.362577915 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:40.362648964 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:40.362792015 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:40.482676983 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:41.401897907 CET	443	49725	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:41.401966095 CET	49725	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:41.410696983 CET	443	49728	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:41.410876989 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:41.450397968 CET	443	49726	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:41.451087952 CET	49726	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:41.495492935 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:41.545227051 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:42.018914938 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:42.018934011 CET	443	49728	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:42.019977093 CET	443	49728	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:42.022907972 CET	49725	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:42.022937059 CET	443	49725	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:42.022984982 CET	49725	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:42.023075104 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:42.023118973 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:42.023156881 CET	443	49725	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:42.023622990 CET	443	49728	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:42.024840117 CET	49726	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:42.024859905 CET	443	49726	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:42.024914026 CET	49726	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:42.025113106 CET	443	49726	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:42.031353951 CET	443	49728	35.244.181.201	192.168.2.7
Nov 25, 2024 21:34:42.031807899 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:42.031836033 CET	49725	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:42.031848907 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:42.031866074 CET	49726	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:42.032243967 CET	49728	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:34:45.719477892 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:45.839493990 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:46.045018911 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:46.089870930 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:46.446584940 CET	49748	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:46.446620941 CET	443	49748	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:46.446676970 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:46.450184107 CET	49748	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:46.451687098 CET	49748	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:46.451708078 CET	443	49748	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:46.568751097 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:46.584692955 CET	49749	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:46.584737062 CET	443	49749	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:46.584831953 CET	49749	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:46.586301088 CET	49749	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:46.586314917 CET	443	49749	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:46.771457911 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:46.801671028 CET	49751	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:46.801687002 CET	443	49751	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:46.803340912 CET	49751	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:46.804819107 CET	49751	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:46.804831028 CET	443	49751	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:46.823100090 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:47.331916094 CET	49756	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:47.331964970 CET	443	49756	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:47.340270042 CET	49756	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:47.340464115 CET	49756	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:47.340477943 CET	443	49756	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:47.757509947 CET	443	49748	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:47.758332014 CET	49748	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:47.761936903 CET	49748	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:47.761943102 CET	443	49748	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:47.762027025 CET	49748	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:47.762073040 CET	443	49748	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:47.762202024 CET	49748	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:47.764146090 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:47.810414076 CET	443	49749	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:47.810520887 CET	49749	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:47.884098053 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:48.088593006 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:48.142395973 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:48.158847094 CET	443	49751	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:48.171331882 CET	443	49751	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:48.178055048 CET	49751	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:48.475800991 CET	49749	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:48.475824118 CET	443	49749	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:48.475878000 CET	49749	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:48.476042986 CET	443	49749	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:48.477031946 CET	49749	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:48.485384941 CET	49751	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:48.485402107 CET	443	49751	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:48.485491991 CET	49751	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:48.485634089 CET	443	49751	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:48.485790014 CET	49751	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:48.600528002 CET	443	49756	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:48.600543022 CET	443	49756	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:48.600609064 CET	49756	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:48.975905895 CET	49756	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:48.975923061 CET	443	49756	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:48.976104975 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:48.976200104 CET	443	49756	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:48.980345964 CET	49756	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:48.980406046 CET	49756	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:48.980496883 CET	443	49756	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:48.981161118 CET	49756	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:48.981175900 CET	49756	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:49.096216917 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:49.291846037 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:49.293301105 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.293332100 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:49.294763088 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.296103954 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.296116114 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:49.301297903 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:49.345912933 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:49.380651951 CET	49765	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.380696058 CET	443	49765	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:49.382004023 CET	49765	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.382164001 CET	49765	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.382184982 CET	443	49765	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:49.384063959 CET	49766	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.384098053 CET	443	49766	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:49.384989977 CET	49766	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.385119915 CET	49766	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.385140896 CET	443	49766	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:49.387908936 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.387940884 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:49.389101028 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.389300108 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:49.389322042 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:49.390312910 CET	49768	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:49.390343904 CET	443	49768	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:49.390543938 CET	49768	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:49.390686989 CET	49768	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:49.390702009 CET	443	49768	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:49.411891937 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:49.615916967 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:49.662436962 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:50.601910114 CET	443	49768	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:50.601988077 CET	49768	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:50.603262901 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:50.603329897 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:50.638955116 CET	443	49765	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:50.639105082 CET	49765	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:50.646219969 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:50.646290064 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:50.690903902 CET	443	49766	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:50.691106081 CET	49766	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.267676115 CET	49765	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.267712116 CET	443	49765	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.268059015 CET	443	49765	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.269782066 CET	49766	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.269820929 CET	443	49766	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.270104885 CET	443	49766	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.271874905 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.271888971 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.272185087 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.274235964 CET	49768	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:51.274255037 CET	443	49768	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:51.274580002 CET	443	49768	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:51.280061007 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280070066 CET	49765	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280077934 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.280185938 CET	49765	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280275106 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280284882 CET	443	49765	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.280318022 CET	49766	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280320883 CET	443	49761	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.280482054 CET	443	49766	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.280483007 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280575991 CET	49766	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280586958 CET	443	49766	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.280627012 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280649900 CET	443	49767	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.280905962 CET	49765	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280916929 CET	49761	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280926943 CET	49767	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.280936003 CET	49766	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.320436001 CET	49768	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:51.673311949 CET	49768	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:51.673552990 CET	443	49768	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:51.673645020 CET	49768	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:51.673654079 CET	443	49768	34.149.100.209	192.168.2.7
Nov 25, 2024 21:34:51.676937103 CET	49768	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:34:51.680779934 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:51.699081898 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:51.703824043 CET	49774	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.703856945 CET	443	49774	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.704648972 CET	49774	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.704823017 CET	49774	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.704838037 CET	443	49774	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.712703943 CET	49775	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.712721109 CET	443	49775	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.720818043 CET	49775	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.723040104 CET	49775	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:51.723057032 CET	443	49775	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:51.800765991 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:51.819020033 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:52.012312889 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:52.023052931 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:52.027683973 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:52.069356918 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:52.147726059 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:52.353844881 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:52.408026934 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:52.961679935 CET	443	49774	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:52.961791992 CET	49774	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:52.964694977 CET	49774	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:52.964720964 CET	443	49774	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:52.964951992 CET	443	49774	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:52.967003107 CET	49774	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:52.967118979 CET	49774	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:52.967152119 CET	443	49774	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:52.967827082 CET	49774	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:52.969799042 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:53.027896881 CET	443	49775	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:53.027909040 CET	443	49775	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:53.027983904 CET	49775	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:53.032296896 CET	49775	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:53.032305956 CET	443	49775	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:53.032414913 CET	49775	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:53.032450914 CET	443	49775	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:53.034281015 CET	49775	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:53.036686897 CET	49777	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:53.036720037 CET	443	49777	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:53.037036896 CET	49777	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:53.038443089 CET	49777	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:53.038454056 CET	443	49777	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:53.089828968 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:53.294935942 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:53.301340103 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:53.341928005 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:53.523720026 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:53.643867970 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:53.658670902 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:53.696190119 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:53.778601885 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:53.982618093 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:53.986772060 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:54.028357029 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:54.106755972 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:54.306062937 CET	443	49777	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:54.306152105 CET	49777	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:54.311723948 CET	49777	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:54.311743975 CET	443	49777	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:54.311856985 CET	49777	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:54.311881065 CET	443	49777	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:54.312908888 CET	49777	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:54.313014984 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:54.315197945 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:54.317414999 CET	49783	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:54.317456961 CET	443	49783	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:54.317744017 CET	49783	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:54.319133997 CET	49783	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:54.319149017 CET	443	49783	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:54.360496044 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:54.435261965 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:54.641031981 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:54.644653082 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:54.699172974 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:54.764620066 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:54.969432116 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:55.015686989 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:55.529963970 CET	443	49783	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:55.530036926 CET	49783	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:55.537408113 CET	49783	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:55.537419081 CET	443	49783	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:55.537525892 CET	49783	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:55.537566900 CET	443	49783	34.120.208.123	192.168.2.7
Nov 25, 2024 21:34:55.538749933 CET	49783	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:34:55.540504932 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:55.660500050 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:55.864509106 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:55.867168903 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:55.918268919 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:55.987206936 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:56.191701889 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:56.234777927 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:57.911993980 CET	49790	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:57.912085056 CET	443	49790	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:57.912373066 CET	49790	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:57.913769007 CET	49790	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:57.913805962 CET	443	49790	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:59.222623110 CET	443	49790	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:59.222712994 CET	49790	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:59.227067947 CET	49790	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:59.227101088 CET	443	49790	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:59.227171898 CET	49790	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:59.227330923 CET	443	49790	34.107.243.93	192.168.2.7
Nov 25, 2024 21:34:59.227943897 CET	49790	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:34:59.230132103 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:59.350086927 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:59.554151058 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:59.557631969 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:59.594547033 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:34:59.678196907 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:59.888372898 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:34:59.942351103 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:03.033303976 CET	49803	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:03.033334970 CET	443	49803	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:03.035924911 CET	49803	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:03.036329031 CET	49803	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:03.036346912 CET	443	49803	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:03.042896986 CET	49804	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:35:03.042937994 CET	443	49804	35.190.72.216	192.168.2.7
Nov 25, 2024 21:35:03.051604986 CET	49804	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:35:03.054404020 CET	49804	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:35:03.054421902 CET	443	49804	35.190.72.216	192.168.2.7
Nov 25, 2024 21:35:03.196068048 CET	49806	443	192.168.2.7	35.201.103.21
Nov 25, 2024 21:35:03.196114063 CET	443	49806	35.201.103.21	192.168.2.7
Nov 25, 2024 21:35:03.197067976 CET	49806	443	192.168.2.7	35.201.103.21
Nov 25, 2024 21:35:03.198688030 CET	49806	443	192.168.2.7	35.201.103.21
Nov 25, 2024 21:35:03.198703051 CET	443	49806	35.201.103.21	192.168.2.7
Nov 25, 2024 21:35:03.274812937 CET	49808	443	192.168.2.7	151.101.65.91
Nov 25, 2024 21:35:03.274857044 CET	443	49808	151.101.65.91	192.168.2.7
Nov 25, 2024 21:35:03.275167942 CET	49808	443	192.168.2.7	151.101.65.91
Nov 25, 2024 21:35:03.275269985 CET	49808	443	192.168.2.7	151.101.65.91
Nov 25, 2024 21:35:03.275284052 CET	443	49808	151.101.65.91	192.168.2.7
Nov 25, 2024 21:35:03.388983011 CET	49809	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:03.389023066 CET	443	49809	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:03.389305115 CET	49809	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:03.389480114 CET	49809	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:03.389494896 CET	443	49809	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.346268892 CET	443	49803	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:04.346360922 CET	49803	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:04.349566936 CET	49803	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:04.349589109 CET	443	49803	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:04.349845886 CET	443	49803	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:04.351980925 CET	49803	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:04.352085114 CET	49803	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:04.352112055 CET	443	49803	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:04.353441954 CET	49803	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:04.355247021 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:04.367671967 CET	443	49804	35.190.72.216	192.168.2.7
Nov 25, 2024 21:35:04.367686987 CET	443	49804	35.190.72.216	192.168.2.7
Nov 25, 2024 21:35:04.367760897 CET	49804	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:35:04.371668100 CET	49804	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:35:04.371676922 CET	443	49804	35.190.72.216	192.168.2.7
Nov 25, 2024 21:35:04.371746063 CET	49804	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:35:04.371802092 CET	443	49804	35.190.72.216	192.168.2.7
Nov 25, 2024 21:35:04.371943951 CET	49804	443	192.168.2.7	35.190.72.216
Nov 25, 2024 21:35:04.475256920 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:04.491202116 CET	443	49808	151.101.65.91	192.168.2.7
Nov 25, 2024 21:35:04.491283894 CET	49808	443	192.168.2.7	151.101.65.91
Nov 25, 2024 21:35:04.494103909 CET	49808	443	192.168.2.7	151.101.65.91
Nov 25, 2024 21:35:04.494115114 CET	443	49808	151.101.65.91	192.168.2.7
Nov 25, 2024 21:35:04.494318008 CET	443	49808	151.101.65.91	192.168.2.7
Nov 25, 2024 21:35:04.496009111 CET	49808	443	192.168.2.7	151.101.65.91
Nov 25, 2024 21:35:04.496093035 CET	49808	443	192.168.2.7	151.101.65.91
Nov 25, 2024 21:35:04.496125937 CET	443	49808	151.101.65.91	192.168.2.7
Nov 25, 2024 21:35:04.502764940 CET	49808	443	192.168.2.7	151.101.65.91
Nov 25, 2024 21:35:04.502783060 CET	49808	443	192.168.2.7	151.101.65.91
Nov 25, 2024 21:35:04.504591942 CET	49810	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.504635096 CET	443	49810	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.504745960 CET	49810	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.504856110 CET	49810	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.504870892 CET	443	49810	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.506973028 CET	49811	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.506998062 CET	443	49811	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.507586956 CET	49811	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.507720947 CET	49811	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.507733107 CET	443	49811	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.509321928 CET	443	49806	35.201.103.21	192.168.2.7
Nov 25, 2024 21:35:04.509872913 CET	49812	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.509912968 CET	443	49812	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.510257006 CET	49812	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.510261059 CET	49806	443	192.168.2.7	35.201.103.21
Nov 25, 2024 21:35:04.513422012 CET	49812	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.513446093 CET	443	49812	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.516123056 CET	49806	443	192.168.2.7	35.201.103.21
Nov 25, 2024 21:35:04.516134977 CET	443	49806	35.201.103.21	192.168.2.7
Nov 25, 2024 21:35:04.516204119 CET	49806	443	192.168.2.7	35.201.103.21
Nov 25, 2024 21:35:04.516362906 CET	443	49806	35.201.103.21	192.168.2.7
Nov 25, 2024 21:35:04.516449928 CET	49806	443	192.168.2.7	35.201.103.21
Nov 25, 2024 21:35:04.519618988 CET	49813	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:04.519648075 CET	443	49813	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:04.519732952 CET	49813	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:04.519845963 CET	49813	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:04.519859076 CET	443	49813	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:04.679267883 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:04.683029890 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:04.689533949 CET	443	49809	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.689662933 CET	49809	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.692718983 CET	49809	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.692727089 CET	443	49809	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.692966938 CET	443	49809	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.695136070 CET	49809	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.695225954 CET	49809	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.695295095 CET	443	49809	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:04.695384026 CET	49809	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:04.698443890 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:04.803015947 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:04.818401098 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:05.015850067 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:05.022711039 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:05.031999111 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:05.079472065 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:05.152518988 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:05.357448101 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:05.411592007 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:05.722430944 CET	443	49811	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.722554922 CET	49811	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.725105047 CET	49811	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.725123882 CET	443	49811	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.725352049 CET	443	49811	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.727737904 CET	49811	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.727828979 CET	49811	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.727871895 CET	443	49811	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.728008986 CET	49811	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.731981039 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:05.762231112 CET	443	49810	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.762319088 CET	49810	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.764852047 CET	49810	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.764894009 CET	443	49810	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.765213013 CET	443	49810	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.767596006 CET	49810	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.767712116 CET	49810	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.767796993 CET	443	49810	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.771177053 CET	49810	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.778284073 CET	443	49813	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:05.778414965 CET	49813	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:05.781197071 CET	49813	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:05.781208038 CET	443	49813	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:05.781461000 CET	443	49813	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:05.783534050 CET	49813	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:05.783617973 CET	49813	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:05.783694029 CET	443	49813	34.149.100.209	192.168.2.7
Nov 25, 2024 21:35:05.784322977 CET	49813	443	192.168.2.7	34.149.100.209
Nov 25, 2024 21:35:05.817034960 CET	443	49812	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.817110062 CET	49812	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.819606066 CET	49812	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.819617033 CET	443	49812	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.819817066 CET	443	49812	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.821938038 CET	49812	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.822009087 CET	49812	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.822057009 CET	443	49812	35.244.181.201	192.168.2.7
Nov 25, 2024 21:35:05.822750092 CET	49812	443	192.168.2.7	35.244.181.201
Nov 25, 2024 21:35:05.853128910 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:06.084444046 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:06.087845087 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:06.129250050 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:06.208884001 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:06.413574934 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:06.461347103 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:16.089656115 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:16.209825993 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:16.428282976 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:16.548424006 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:20.194955111 CET	49850	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:35:20.195050955 CET	443	49850	34.107.243.93	192.168.2.7
Nov 25, 2024 21:35:20.195550919 CET	49850	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:35:20.197515011 CET	49850	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:35:20.197545052 CET	443	49850	34.107.243.93	192.168.2.7
Nov 25, 2024 21:35:21.502382994 CET	443	49850	34.107.243.93	192.168.2.7
Nov 25, 2024 21:35:21.502496004 CET	49850	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:35:21.506850004 CET	49850	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:35:21.506882906 CET	443	49850	34.107.243.93	192.168.2.7
Nov 25, 2024 21:35:21.506942034 CET	49850	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:35:21.507029057 CET	443	49850	34.107.243.93	192.168.2.7
Nov 25, 2024 21:35:21.507097006 CET	49850	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:35:21.509435892 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:21.631632090 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:21.835621119 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:21.839713097 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:21.890255928 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:21.975635052 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:22.180140018 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:22.228308916 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:31.856606007 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:31.976835966 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:32.188855886 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:32.308722019 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:33.236612082 CET	49882	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.236644030 CET	443	49882	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.236915112 CET	49883	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.236951113 CET	443	49883	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.237107038 CET	49884	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.237153053 CET	443	49884	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.237232924 CET	49885	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.237324953 CET	49886	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.237333059 CET	443	49886	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.237340927 CET	443	49885	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.237472057 CET	49887	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.237513065 CET	443	49887	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.238446951 CET	49882	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238466024 CET	49886	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238466024 CET	49884	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238468885 CET	49885	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238471031 CET	49883	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238666058 CET	49882	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238672018 CET	49887	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238682032 CET	443	49882	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.238810062 CET	49883	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238826990 CET	443	49883	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.238882065 CET	49887	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238900900 CET	443	49887	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.238946915 CET	49886	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.238960028 CET	443	49886	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.239017010 CET	49885	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.239042997 CET	443	49885	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:33.239068985 CET	49884	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:33.239080906 CET	443	49884	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.450535059 CET	443	49882	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.450651884 CET	49882	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.454133034 CET	49882	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.454168081 CET	443	49882	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.454477072 CET	443	49882	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.457662106 CET	49882	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.457787037 CET	49882	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.457863092 CET	443	49882	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.458328009 CET	49888	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.458370924 CET	443	49888	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.458444118 CET	49882	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.458472967 CET	49888	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.458698988 CET	49888	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.458709955 CET	443	49888	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.460402012 CET	443	49886	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.462902069 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:34.463938951 CET	49886	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.466969013 CET	49886	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.466985941 CET	443	49886	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.467375040 CET	443	49886	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.470073938 CET	49886	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.470233917 CET	49886	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.470794916 CET	49889	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.470902920 CET	443	49889	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.470988989 CET	49889	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.471128941 CET	49889	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.471152067 CET	443	49889	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.472563982 CET	443	49886	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.472631931 CET	49886	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.497100115 CET	443	49885	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.497409105 CET	49885	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.497572899 CET	443	49884	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.498033047 CET	49884	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.498084068 CET	443	49883	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.498244047 CET	49883	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.500933886 CET	49885	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.500961065 CET	443	49885	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.501209974 CET	443	49885	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.503437996 CET	49884	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.503456116 CET	443	49884	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.503696918 CET	443	49884	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.505677938 CET	49883	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.505692005 CET	443	49883	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.505997896 CET	443	49883	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.509798050 CET	49885	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.509964943 CET	443	49885	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.510062933 CET	49885	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.510081053 CET	443	49885	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.510270119 CET	49884	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.510339975 CET	49884	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.510440111 CET	443	49884	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.510694981 CET	49883	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.510755062 CET	49883	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.510899067 CET	443	49883	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.510987043 CET	49884	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.511008024 CET	49883	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.511013985 CET	49885	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.543896914 CET	443	49887	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.544095993 CET	49887	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.548823118 CET	49887	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.548837900 CET	443	49887	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.549148083 CET	443	49887	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.551732063 CET	49887	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.551906109 CET	49887	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.551935911 CET	443	49887	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:34.552771091 CET	49887	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:34.582806110 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:34.787537098 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:34.791306019 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:34.835812092 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:34.911499023 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:35.116067886 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:35.168163061 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:35.761970997 CET	443	49888	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:35.762198925 CET	49888	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.764797926 CET	49888	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.764808893 CET	443	49888	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:35.765033007 CET	443	49888	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:35.766711950 CET	49888	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.766822100 CET	49888	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.766833067 CET	443	49888	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:35.766989946 CET	49888	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.769164085 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:35.780875921 CET	443	49889	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:35.780977964 CET	49889	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.783602953 CET	49889	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.783615112 CET	443	49889	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:35.783956051 CET	443	49889	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:35.792774916 CET	49889	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.792886972 CET	49889	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.793216944 CET	443	49889	34.120.208.123	192.168.2.7
Nov 25, 2024 21:35:35.801044941 CET	49889	443	192.168.2.7	34.120.208.123
Nov 25, 2024 21:35:35.889353037 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:36.102940083 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:36.108264923 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:36.155394077 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:36.229022980 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:36.433670044 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:36.487476110 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:46.115622044 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:46.235817909 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:46.447714090 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:46.567785025 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:56.244601965 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:56.365988970 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:35:56.576711893 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:35:56.696731091 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:01.858587027 CET	49952	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:36:01.858623028 CET	443	49952	34.107.243.93	192.168.2.7
Nov 25, 2024 21:36:01.858973026 CET	49952	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:36:01.860404968 CET	49952	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:36:01.860423088 CET	443	49952	34.107.243.93	192.168.2.7
Nov 25, 2024 21:36:03.118446112 CET	443	49952	34.107.243.93	192.168.2.7
Nov 25, 2024 21:36:03.118599892 CET	49952	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:36:03.123703003 CET	49952	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:36:03.123728037 CET	443	49952	34.107.243.93	192.168.2.7
Nov 25, 2024 21:36:03.123812914 CET	49952	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:36:03.123872042 CET	443	49952	34.107.243.93	192.168.2.7
Nov 25, 2024 21:36:03.123954058 CET	49952	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:36:03.126893044 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:03.247751951 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:03.452330112 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:03.456197023 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:03.497383118 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:03.576349974 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:03.780711889 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:03.820863962 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:13.463366032 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:13.583441019 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:13.795525074 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:13.915590048 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:23.589541912 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:23.712685108 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:23.928190947 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:24.049549103 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:33.718854904 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:33.863759995 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:34.057672024 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:34.178067923 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:43.883646011 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:44.006290913 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:44.184068918 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:44.304348946 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:54.012484074 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:54.132766008 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:36:54.313340902 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:36:54.433422089 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:04.141792059 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:04.262104034 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:04.442641973 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:04.566165924 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:14.269895077 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:14.389975071 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:14.570811987 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:14.690967083 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:23.415631056 CET	50038	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:37:23.415687084 CET	443	50038	34.107.243.93	192.168.2.7
Nov 25, 2024 21:37:23.415927887 CET	50038	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:37:23.417475939 CET	50038	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:37:23.417493105 CET	443	50038	34.107.243.93	192.168.2.7
Nov 25, 2024 21:37:24.399220943 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:24.520108938 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:24.700220108 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:24.724720001 CET	443	50038	34.107.243.93	192.168.2.7
Nov 25, 2024 21:37:24.724930048 CET	50038	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:37:24.730333090 CET	50038	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:37:24.730350971 CET	443	50038	34.107.243.93	192.168.2.7
Nov 25, 2024 21:37:24.730432987 CET	50038	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:37:24.730591059 CET	443	50038	34.107.243.93	192.168.2.7
Nov 25, 2024 21:37:24.730787992 CET	50038	443	192.168.2.7	34.107.243.93
Nov 25, 2024 21:37:24.733366013 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:24.821203947 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:24.853581905 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:25.058732986 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:25.062643051 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:25.101226091 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:25.183221102 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:25.389811039 CET	80	49734	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:25.433381081 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:35.061944008 CET	49717	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:35.182336092 CET	80	49717	34.107.221.82	192.168.2.7
Nov 25, 2024 21:37:35.400583029 CET	49734	80	192.168.2.7	34.107.221.82
Nov 25, 2024 21:37:35.520781994 CET	80	49734	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 21:34:34.944516897 CET	61684	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:34.945516109 CET	57239	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.084482908 CET	53	61684	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.087587118 CET	50604	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.088818073 CET	53929	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.089705944 CET	61232	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.226361990 CET	53	50604	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.226449013 CET	53	53929	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.227468014 CET	49941	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.227557898 CET	63640	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.229954958 CET	53	61232	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.231144905 CET	49336	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.371601105 CET	53	63640	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.375411987 CET	53	49336	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.385016918 CET	50441	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.405700922 CET	49213	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.523582935 CET	53	50441	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.523731947 CET	59177	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.527225971 CET	62168	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.546242952 CET	53	49213	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.553673029 CET	53	49941	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.554606915 CET	52606	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.667628050 CET	53	59177	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.668653965 CET	60712	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.670258999 CET	53	62168	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.670802116 CET	51582	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.703883886 CET	53	52606	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.714247942 CET	57021	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.806457043 CET	53	60712	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.809243917 CET	53	51582	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:35.851766109 CET	63188	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:35.856700897 CET	53	57021	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:36.348011017 CET	53	63188	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:36.351739883 CET	57734	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:36.352317095 CET	49437	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:36.357155085 CET	62256	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:36.400826931 CET	54621	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:36.490370989 CET	53	57734	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:36.491643906 CET	53	49437	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:36.495089054 CET	53	62256	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:36.495872974 CET	54782	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:36.635634899 CET	53	54782	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:36.821322918 CET	60270	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:36.874051094 CET	60686	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:37.012231112 CET	53	60686	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:37.014183044 CET	63030	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:37.152422905 CET	53	63030	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:37.156176090 CET	55859	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:37.294692993 CET	53	55859	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:37.430586100 CET	53	56303	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:39.770068884 CET	55862	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:39.907815933 CET	53	55862	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:39.914541006 CET	65488	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:39.918564081 CET	55846	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:40.054054022 CET	53	65488	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:40.057007074 CET	53	55846	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:40.080519915 CET	52959	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:40.081332922 CET	55931	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:40.084939957 CET	55606	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:40.217969894 CET	53	52959	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:40.218811989 CET	53	55931	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:40.220678091 CET	57866	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:40.221147060 CET	57624	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:40.227706909 CET	53	55606	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:40.358654022 CET	53	57866	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:40.360801935 CET	53	57624	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:45.717282057 CET	64755	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:45.717628002 CET	59156	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:45.717906952 CET	55058	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:45.855487108 CET	53	64755	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:45.856291056 CET	53	55058	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:45.856440067 CET	53	59156	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.251846075 CET	62817	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.252095938 CET	59761	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.252304077 CET	60491	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.389580965 CET	53	60491	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.390686035 CET	60077	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.391403913 CET	53	62817	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.392091036 CET	60386	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.467447996 CET	53	59761	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.470887899 CET	53866	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.530997038 CET	53	60077	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.531806946 CET	53	60386	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.561353922 CET	62240	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.561353922 CET	52161	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.698380947 CET	53	52161	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.698652983 CET	53	62240	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.700998068 CET	62512	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.702136040 CET	52078	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.726250887 CET	53	53866	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.727591038 CET	60965	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.838265896 CET	53	62512	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.839437962 CET	56514	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.840854883 CET	53	52078	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.841675997 CET	59692	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.866586924 CET	53	60965	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:46.868432999 CET	56986	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:46.981198072 CET	53	59692	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:47.010432005 CET	53	56986	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:47.086311102 CET	53	56514	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:48.963238001 CET	64739	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:51.681395054 CET	56245	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:51.704127073 CET	57299	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:51.842284918 CET	53	57299	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:52.970343113 CET	61043	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:53.111577034 CET	63425	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:53.301196098 CET	65535	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:53.543001890 CET	59913	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:53.986593962 CET	64317	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:54.315489054 CET	56243	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:54.455936909 CET	59034	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:54.644881010 CET	60893	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:54.783746004 CET	65360	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:55.540760994 CET	64472	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:55.679450989 CET	57317	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:55.867405891 CET	49169	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:56.006166935 CET	53927	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:57.773714066 CET	54914	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:57.911103010 CET	53	54914	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:57.912305117 CET	63105	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:34:58.050513983 CET	53	63105	1.1.1.1	192.168.2.7
Nov 25, 2024 21:34:59.229995966 CET	60768	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:03.028060913 CET	62564	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:03.043766022 CET	50403	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:03.190032005 CET	53	50403	1.1.1.1	192.168.2.7
Nov 25, 2024 21:35:03.197000027 CET	50085	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:03.273500919 CET	53	62564	1.1.1.1	192.168.2.7
Nov 25, 2024 21:35:03.275621891 CET	63265	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:03.335186005 CET	53	50085	1.1.1.1	192.168.2.7
Nov 25, 2024 21:35:03.336157084 CET	60550	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:03.389163971 CET	63018	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:03.423305988 CET	53	63265	1.1.1.1	192.168.2.7
Nov 25, 2024 21:35:03.426565886 CET	59306	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:03.474956036 CET	53	60550	1.1.1.1	192.168.2.7
Nov 25, 2024 21:35:03.526601076 CET	53	63018	1.1.1.1	192.168.2.7
Nov 25, 2024 21:35:03.567881107 CET	53	59306	1.1.1.1	192.168.2.7
Nov 25, 2024 21:35:20.195493937 CET	62943	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:20.333097935 CET	53	62943	1.1.1.1	192.168.2.7
Nov 25, 2024 21:35:33.237660885 CET	51844	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:35:33.381227970 CET	53	51844	1.1.1.1	192.168.2.7
Nov 25, 2024 21:36:01.719510078 CET	60383	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:36:01.857428074 CET	53	60383	1.1.1.1	192.168.2.7
Nov 25, 2024 21:36:01.858863115 CET	52596	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:36:01.996481895 CET	53	52596	1.1.1.1	192.168.2.7
Nov 25, 2024 21:36:03.126997948 CET	61263	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:36:03.267096043 CET	55035	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:36:03.411231041 CET	57957	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:36:03.457441092 CET	52879	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:36:03.554219007 CET	53	57957	1.1.1.1	192.168.2.7
Nov 25, 2024 21:37:23.130624056 CET	50093	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:37:23.269653082 CET	53	50093	1.1.1.1	192.168.2.7
Nov 25, 2024 21:37:23.270994902 CET	56614	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:37:23.414453983 CET	53	56614	1.1.1.1	192.168.2.7
Nov 25, 2024 21:37:23.415642977 CET	49761	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:37:23.557189941 CET	53	49761	1.1.1.1	192.168.2.7
Nov 25, 2024 21:37:24.733664036 CET	57395	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:37:24.874135971 CET	65190	53	192.168.2.7	1.1.1.1
Nov 25, 2024 21:37:25.013916016 CET	53	65190	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 21:34:34.944516897 CET	192.168.2.7	1.1.1.1	0x9d59	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:34.945516109 CET	192.168.2.7	1.1.1.1	0xd53f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.087587118 CET	192.168.2.7	1.1.1.1	0x2cb7	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.088818073 CET	192.168.2.7	1.1.1.1	0xa5af	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.089705944 CET	192.168.2.7	1.1.1.1	0x834c	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.227468014 CET	192.168.2.7	1.1.1.1	0x7ce1	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 21:34:35.227557898 CET	192.168.2.7	1.1.1.1	0x3c61	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:35.231144905 CET	192.168.2.7	1.1.1.1	0xffa4	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 21:34:35.385016918 CET	192.168.2.7	1.1.1.1	0x7ad9	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.405700922 CET	192.168.2.7	1.1.1.1	0x7a8a	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.523731947 CET	192.168.2.7	1.1.1.1	0x4d57	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.527225971 CET	192.168.2.7	1.1.1.1	0xfe0e	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.554606915 CET	192.168.2.7	1.1.1.1	0x3de9	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.668653965 CET	192.168.2.7	1.1.1.1	0x9cb6	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 21:34:35.670802116 CET	192.168.2.7	1.1.1.1	0xd27e	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:35.714247942 CET	192.168.2.7	1.1.1.1	0x9f5e	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 21:34:35.851766109 CET	192.168.2.7	1.1.1.1	0x60c2	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.351739883 CET	192.168.2.7	1.1.1.1	0xc739	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.352317095 CET	192.168.2.7	1.1.1.1	0xee1e	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.357155085 CET	192.168.2.7	1.1.1.1	0x7076	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.400826931 CET	192.168.2.7	1.1.1.1	0x701d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.495872974 CET	192.168.2.7	1.1.1.1	0x2919	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 21:34:36.821322918 CET	192.168.2.7	1.1.1.1	0x8704	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.874051094 CET	192.168.2.7	1.1.1.1	0xa8e6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:37.014183044 CET	192.168.2.7	1.1.1.1	0x3c4c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:37.156176090 CET	192.168.2.7	1.1.1.1	0xc103	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:39.770068884 CET	192.168.2.7	1.1.1.1	0xb390	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:39.914541006 CET	192.168.2.7	1.1.1.1	0xfe0f	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:39.918564081 CET	192.168.2.7	1.1.1.1	0xbb	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:40.080519915 CET	192.168.2.7	1.1.1.1	0xfabc	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:40.081332922 CET	192.168.2.7	1.1.1.1	0x604b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:40.084939957 CET	192.168.2.7	1.1.1.1	0xf801	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 21:34:40.220678091 CET	192.168.2.7	1.1.1.1	0x4a7a	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 21:34:40.221147060 CET	192.168.2.7	1.1.1.1	0xa988	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:45.717282057 CET	192.168.2.7	1.1.1.1	0x7cb1	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.717628002 CET	192.168.2.7	1.1.1.1	0xeb36	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.717906952 CET	192.168.2.7	1.1.1.1	0x9f59	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.251846075 CET	192.168.2.7	1.1.1.1	0xaf0f	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.252095938 CET	192.168.2.7	1.1.1.1	0xb839	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.252304077 CET	192.168.2.7	1.1.1.1	0x63f6	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.390686035 CET	192.168.2.7	1.1.1.1	0xa07	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:46.392091036 CET	192.168.2.7	1.1.1.1	0x5468	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:46.470887899 CET	192.168.2.7	1.1.1.1	0xe7a4	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 25, 2024 21:34:46.561353922 CET	192.168.2.7	1.1.1.1	0x7a51	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.561353922 CET	192.168.2.7	1.1.1.1	0xdc6a	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.700998068 CET	192.168.2.7	1.1.1.1	0x3dc	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.702136040 CET	192.168.2.7	1.1.1.1	0x74e4	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.727591038 CET	192.168.2.7	1.1.1.1	0x5b2e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:46.839437962 CET	192.168.2.7	1.1.1.1	0xf0a0	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 25, 2024 21:34:46.841675997 CET	192.168.2.7	1.1.1.1	0x6c32	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:46.868432999 CET	192.168.2.7	1.1.1.1	0x13a7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:48.963238001 CET	192.168.2.7	1.1.1.1	0x1174	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:51.681395054 CET	192.168.2.7	1.1.1.1	0xe50b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:51.704127073 CET	192.168.2.7	1.1.1.1	0x570f	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:52.970343113 CET	192.168.2.7	1.1.1.1	0x533c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:53.111577034 CET	192.168.2.7	1.1.1.1	0x6a1b	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:53.301196098 CET	192.168.2.7	1.1.1.1	0xed62	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:53.543001890 CET	192.168.2.7	1.1.1.1	0xce83	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:53.986593962 CET	192.168.2.7	1.1.1.1	0x2f5c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:54.315489054 CET	192.168.2.7	1.1.1.1	0x652f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:54.455936909 CET	192.168.2.7	1.1.1.1	0xea62	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:54.644881010 CET	192.168.2.7	1.1.1.1	0xe9f6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:54.783746004 CET	192.168.2.7	1.1.1.1	0x9cac	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:55.540760994 CET	192.168.2.7	1.1.1.1	0xd10f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:55.679450989 CET	192.168.2.7	1.1.1.1	0x5055	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:55.867405891 CET	192.168.2.7	1.1.1.1	0xe17d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:56.006166935 CET	192.168.2.7	1.1.1.1	0xa11a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:57.773714066 CET	192.168.2.7	1.1.1.1	0x1689	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:57.912305117 CET	192.168.2.7	1.1.1.1	0x8b53	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:34:59.229995966 CET	192.168.2.7	1.1.1.1	0x126c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.028060913 CET	192.168.2.7	1.1.1.1	0x9c93	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.043766022 CET	192.168.2.7	1.1.1.1	0xd2c4	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.197000027 CET	192.168.2.7	1.1.1.1	0xefc6	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.275621891 CET	192.168.2.7	1.1.1.1	0x73cb	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.336157084 CET	192.168.2.7	1.1.1.1	0x418f	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:35:03.389163971 CET	192.168.2.7	1.1.1.1	0xe58	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 25, 2024 21:35:03.426565886 CET	192.168.2.7	1.1.1.1	0x9ba4	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 25, 2024 21:35:20.195493937 CET	192.168.2.7	1.1.1.1	0x83d1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:35:33.237660885 CET	192.168.2.7	1.1.1.1	0xf940	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:36:01.719510078 CET	192.168.2.7	1.1.1.1	0xd064	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:36:01.858863115 CET	192.168.2.7	1.1.1.1	0x21e7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:36:03.126997948 CET	192.168.2.7	1.1.1.1	0x9379	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:36:03.267096043 CET	192.168.2.7	1.1.1.1	0x3f0d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:36:03.411231041 CET	192.168.2.7	1.1.1.1	0xc465	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:36:03.457441092 CET	192.168.2.7	1.1.1.1	0xc925	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:37:23.130624056 CET	192.168.2.7	1.1.1.1	0xb8e5	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:37:23.270994902 CET	192.168.2.7	1.1.1.1	0xce17	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:37:23.415642977 CET	192.168.2.7	1.1.1.1	0x1b0c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 25, 2024 21:37:24.733664036 CET	192.168.2.7	1.1.1.1	0x6bd6	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:37:24.874135971 CET	192.168.2.7	1.1.1.1	0xd3e8	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 21:34:35.083830118 CET	1.1.1.1	192.168.2.7	0xcbe6	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.084482908 CET	1.1.1.1	192.168.2.7	0x9d59	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.085380077 CET	1.1.1.1	192.168.2.7	0xd53f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:35.085380077 CET	1.1.1.1	192.168.2.7	0xd53f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.226361990 CET	1.1.1.1	192.168.2.7	0x2cb7	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.226449013 CET	1.1.1.1	192.168.2.7	0xa5af	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.229954958 CET	1.1.1.1	192.168.2.7	0x834c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.371601105 CET	1.1.1.1	192.168.2.7	0x3c61	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 25, 2024 21:34:35.375411987 CET	1.1.1.1	192.168.2.7	0xffa4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 21:34:35.522203922 CET	1.1.1.1	192.168.2.7	0x979d	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:35.522203922 CET	1.1.1.1	192.168.2.7	0x979d	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.523582935 CET	1.1.1.1	192.168.2.7	0x7ad9	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.546242952 CET	1.1.1.1	192.168.2.7	0x7a8a	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:35.546242952 CET	1.1.1.1	192.168.2.7	0x7a8a	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.667628050 CET	1.1.1.1	192.168.2.7	0x4d57	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.670258999 CET	1.1.1.1	192.168.2.7	0xfe0e	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:35.703883886 CET	1.1.1.1	192.168.2.7	0x3de9	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.348011017 CET	1.1.1.1	192.168.2.7	0x60c2	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:36.348011017 CET	1.1.1.1	192.168.2.7	0x60c2	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:36.348011017 CET	1.1.1.1	192.168.2.7	0x60c2	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.490370989 CET	1.1.1.1	192.168.2.7	0xc739	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.491643906 CET	1.1.1.1	192.168.2.7	0xee1e	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.491643906 CET	1.1.1.1	192.168.2.7	0xee1e	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.495089054 CET	1.1.1.1	192.168.2.7	0x7076	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.542300940 CET	1.1.1.1	192.168.2.7	0x701d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:36.542300940 CET	1.1.1.1	192.168.2.7	0x701d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:36.635634899 CET	1.1.1.1	192.168.2.7	0x2919	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 25, 2024 21:34:37.012231112 CET	1.1.1.1	192.168.2.7	0xa8e6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:37.060307026 CET	1.1.1.1	192.168.2.7	0x8704	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:37.152422905 CET	1.1.1.1	192.168.2.7	0x3c4c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:39.907815933 CET	1.1.1.1	192.168.2.7	0xb390	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:39.907815933 CET	1.1.1.1	192.168.2.7	0xb390	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:39.907815933 CET	1.1.1.1	192.168.2.7	0xb390	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:40.054054022 CET	1.1.1.1	192.168.2.7	0xfe0f	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:40.054054022 CET	1.1.1.1	192.168.2.7	0xfe0f	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:40.054286003 CET	1.1.1.1	192.168.2.7	0xdc7b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:40.057007074 CET	1.1.1.1	192.168.2.7	0xbb	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:40.146514893 CET	1.1.1.1	192.168.2.7	0x25cc	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:40.146514893 CET	1.1.1.1	192.168.2.7	0x25cc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:40.217969894 CET	1.1.1.1	192.168.2.7	0xfabc	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:40.218811989 CET	1.1.1.1	192.168.2.7	0x604b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.855487108 CET	1.1.1.1	192.168.2.7	0x7cb1	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.856291056 CET	1.1.1.1	192.168.2.7	0x9f59	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:45.856291056 CET	1.1.1.1	192.168.2.7	0x9f59	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:45.856440067 CET	1.1.1.1	192.168.2.7	0xeb36	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:45.856440067 CET	1.1.1.1	192.168.2.7	0xeb36	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.389580965 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.389580965 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.389580965 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.389580965 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.389580965 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.389580965 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.389580965 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.389580965 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.389580965 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.391403913 CET	1.1.1.1	192.168.2.7	0xaf0f	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.467447996 CET	1.1.1.1	192.168.2.7	0xb839	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.530997038 CET	1.1.1.1	192.168.2.7	0xa07	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 21:34:46.530997038 CET	1.1.1.1	192.168.2.7	0xa07	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 21:34:46.530997038 CET	1.1.1.1	192.168.2.7	0xa07	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 21:34:46.530997038 CET	1.1.1.1	192.168.2.7	0xa07	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 25, 2024 21:34:46.531806946 CET	1.1.1.1	192.168.2.7	0x5468	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 25, 2024 21:34:46.583394051 CET	1.1.1.1	192.168.2.7	0x820f	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.698380947 CET	1.1.1.1	192.168.2.7	0xdc6a	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.698652983 CET	1.1.1.1	192.168.2.7	0x7a51	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:46.698652983 CET	1.1.1.1	192.168.2.7	0x7a51	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.698652983 CET	1.1.1.1	192.168.2.7	0x7a51	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.698652983 CET	1.1.1.1	192.168.2.7	0x7a51	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.698652983 CET	1.1.1.1	192.168.2.7	0x7a51	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.726250887 CET	1.1.1.1	192.168.2.7	0xe7a4	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 25, 2024 21:34:46.838265896 CET	1.1.1.1	192.168.2.7	0x3dc	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.838265896 CET	1.1.1.1	192.168.2.7	0x3dc	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.838265896 CET	1.1.1.1	192.168.2.7	0x3dc	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.838265896 CET	1.1.1.1	192.168.2.7	0x3dc	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:46.840854883 CET	1.1.1.1	192.168.2.7	0x74e4	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:49.101130962 CET	1.1.1.1	192.168.2.7	0x1174	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:49.101130962 CET	1.1.1.1	192.168.2.7	0x1174	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:51.936990976 CET	1.1.1.1	192.168.2.7	0xe50b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:51.936990976 CET	1.1.1.1	192.168.2.7	0xe50b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:53.109728098 CET	1.1.1.1	192.168.2.7	0x533c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:53.109728098 CET	1.1.1.1	192.168.2.7	0x533c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:53.249860048 CET	1.1.1.1	192.168.2.7	0x6a1b	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:53.249860048 CET	1.1.1.1	192.168.2.7	0x6a1b	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:53.541213036 CET	1.1.1.1	192.168.2.7	0xed62	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:53.541213036 CET	1.1.1.1	192.168.2.7	0xed62	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:53.680880070 CET	1.1.1.1	192.168.2.7	0xce83	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:53.680880070 CET	1.1.1.1	192.168.2.7	0xce83	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:54.124650955 CET	1.1.1.1	192.168.2.7	0x2f5c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:54.124650955 CET	1.1.1.1	192.168.2.7	0x2f5c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:54.454622984 CET	1.1.1.1	192.168.2.7	0x652f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:54.454622984 CET	1.1.1.1	192.168.2.7	0x652f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:54.593678951 CET	1.1.1.1	192.168.2.7	0xea62	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:54.593678951 CET	1.1.1.1	192.168.2.7	0xea62	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:54.782512903 CET	1.1.1.1	192.168.2.7	0xe9f6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:54.782512903 CET	1.1.1.1	192.168.2.7	0xe9f6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:54.922487974 CET	1.1.1.1	192.168.2.7	0x9cac	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:54.922487974 CET	1.1.1.1	192.168.2.7	0x9cac	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:55.678497076 CET	1.1.1.1	192.168.2.7	0xd10f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:55.678497076 CET	1.1.1.1	192.168.2.7	0xd10f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:55.824551105 CET	1.1.1.1	192.168.2.7	0x5055	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:55.824551105 CET	1.1.1.1	192.168.2.7	0x5055	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:56.005011082 CET	1.1.1.1	192.168.2.7	0xe17d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:56.005011082 CET	1.1.1.1	192.168.2.7	0xe17d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:56.144432068 CET	1.1.1.1	192.168.2.7	0xa11a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:56.144432068 CET	1.1.1.1	192.168.2.7	0xa11a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:57.911103010 CET	1.1.1.1	192.168.2.7	0x1689	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:34:59.368691921 CET	1.1.1.1	192.168.2.7	0x126c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:34:59.368691921 CET	1.1.1.1	192.168.2.7	0x126c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.190032005 CET	1.1.1.1	192.168.2.7	0xd2c4	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:35:03.190032005 CET	1.1.1.1	192.168.2.7	0xd2c4	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.273500919 CET	1.1.1.1	192.168.2.7	0x9c93	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.273500919 CET	1.1.1.1	192.168.2.7	0x9c93	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.273500919 CET	1.1.1.1	192.168.2.7	0x9c93	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.273500919 CET	1.1.1.1	192.168.2.7	0x9c93	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.335186005 CET	1.1.1.1	192.168.2.7	0xefc6	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.384569883 CET	1.1.1.1	192.168.2.7	0xf4f1	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:35:03.384569883 CET	1.1.1.1	192.168.2.7	0xf4f1	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.423305988 CET	1.1.1.1	192.168.2.7	0x73cb	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.423305988 CET	1.1.1.1	192.168.2.7	0x73cb	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.423305988 CET	1.1.1.1	192.168.2.7	0x73cb	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.423305988 CET	1.1.1.1	192.168.2.7	0x73cb	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:35:03.567881107 CET	1.1.1.1	192.168.2.7	0x9ba4	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 21:35:03.567881107 CET	1.1.1.1	192.168.2.7	0x9ba4	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 21:35:03.567881107 CET	1.1.1.1	192.168.2.7	0x9ba4	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 21:35:03.567881107 CET	1.1.1.1	192.168.2.7	0x9ba4	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 25, 2024 21:35:06.294495106 CET	1.1.1.1	192.168.2.7	0xba27	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:35:06.294495106 CET	1.1.1.1	192.168.2.7	0xba27	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:35:33.234746933 CET	1.1.1.1	192.168.2.7	0x78ce	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:36:01.857428074 CET	1.1.1.1	192.168.2.7	0xd064	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:36:03.265964031 CET	1.1.1.1	192.168.2.7	0x9379	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:36:03.265964031 CET	1.1.1.1	192.168.2.7	0x9379	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:36:03.410243034 CET	1.1.1.1	192.168.2.7	0x3f0d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:36:03.410243034 CET	1.1.1.1	192.168.2.7	0x3f0d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:36:03.554219007 CET	1.1.1.1	192.168.2.7	0xc465	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:36:03.925543070 CET	1.1.1.1	192.168.2.7	0xc925	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:36:03.925543070 CET	1.1.1.1	192.168.2.7	0xc925	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:37:23.269653082 CET	1.1.1.1	192.168.2.7	0xb8e5	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:37:23.414453983 CET	1.1.1.1	192.168.2.7	0xce17	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:37:24.872437954 CET	1.1.1.1	192.168.2.7	0x6bd6	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 21:37:24.872437954 CET	1.1.1.1	192.168.2.7	0x6bd6	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 25, 2024 21:37:25.013916016 CET	1.1.1.1	192.168.2.7	0xd3e8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49711	34.107.221.82	80	7524	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 21:34:35.209673882 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:36.295902014 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42228 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49716	34.107.221.82	80	7524	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 21:34:36.670331001 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:37.821914911 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 03:13:58 GMT Age: 62439 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49717	34.107.221.82	80	7524	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 21:34:36.888072014 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:38.021459103 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42229 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:39.912599087 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:40.237437010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42232 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:45.719477892 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:46.045018911 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42237 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:47.764146090 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:48.088593006 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42239 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:49.291846037 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:49.615916967 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42241 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:51.699081898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:52.023052931 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42243 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:52.969799042 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:53.294935942 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42245 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:53.658670902 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:53.982618093 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42245 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:54.315197945 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:54.641031981 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42246 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:55.540504932 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:55.864509106 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42247 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:34:59.230132103 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:34:59.554151058 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42251 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:35:04.355247021 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:35:04.679267883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42256 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:35:04.698443890 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:35:05.022711039 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42256 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:35:05.731981039 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:35:06.084444046 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42257 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:35:16.089656115 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:35:21.509435892 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:35:21.835621119 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42273 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:35:31.856606007 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:35:34.462902069 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:35:34.787537098 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42286 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:35:35.769164085 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:35:36.102940083 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42287 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:35:46.115622044 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:35:56.244601965 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:03.126893044 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:36:03.452330112 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42315 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 25, 2024 21:36:13.463366032 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:23.589541912 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:33.718854904 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:43.883646011 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:54.012484074 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:37:04.141792059 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:37:24.733366013 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 25, 2024 21:37:25.058732986 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 42396 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49734	34.107.221.82	80	7524	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 25, 2024 21:34:40.362792015 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:41.495492935 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42234 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:34:46.446676970 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:46.771457911 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42239 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:34:48.976104975 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:49.301297903 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42242 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:34:51.680779934 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:52.012312889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42244 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:34:52.027683973 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:52.353844881 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42245 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:34:53.301340103 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:53.643867970 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42246 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:34:53.986772060 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:54.313014984 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42247 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:34:54.644653082 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:54.969432116 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42247 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:34:55.867168903 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:56.191701889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42249 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:34:59.557631969 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:34:59.888372898 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42252 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:35:04.683029890 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:35:05.015850067 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42257 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:35:05.031999111 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:35:05.357448101 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42258 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:35:06.087845087 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:35:06.413574934 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42259 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:35:16.428282976 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:35:21.839713097 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:35:22.180140018 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42275 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:35:32.188855886 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:35:34.791306019 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:35:35.116067886 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42287 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:35:36.108264923 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:35:36.433670044 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42289 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:35:46.447714090 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:35:56.576711893 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:03.456197023 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:36:03.780711889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42316 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 25, 2024 21:36:13.795525074 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:23.928190947 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:34.057672024 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:44.184068918 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:36:54.313340902 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:37:04.442641973 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 25, 2024 21:37:25.062643051 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 25, 2024 21:37:25.389811039 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:47 GMT Age: 42398 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Target ID:	0
Start time:	15:34:27
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x6b0000
File size:	922'112 bytes
MD5 hash:	55181CF50AFA00196C7CBD00013E03A6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1311074384.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1247421229.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:34:27
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xc40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:34:27
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:34:29
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xc40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:34:29
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	15:34:29
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xc40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:34:29
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:34:30
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xc40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:34:30
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:34:30
Start date:	25/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xc40000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:34:30
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:34:30
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:34:30
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	15:34:30
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	15:34:31
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2300 -parentBuildID 20230927232528 -prefsHandle 2244 -prefMapHandle 2236 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e90d6c24-d50b-4b75-8f35-614cb58272e1} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4df26df10 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	15:34:33
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4008 -parentBuildID 20230927232528 -prefsHandle 4000 -prefMapHandle 3996 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {029f5e9b-d31f-417f-878f-f26b29793504} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4f11e8b10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	15:34:39
Start date:	25/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5008 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4916 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {43d47f84-ba1a-4e37-9bbb-53b6fefaa308} 7524 "\\.\pipe\gecko-crash-server-pipe.7524" 1b4f01beb10 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.6%
Total number of Nodes:	1559
Total number of Limit Nodes:	66

Executed Functions

Function 006B42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 006B430D

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

GetCurrentProcess.KERNEL32(?,0074CB64,00000000,?,?), ref: 006B4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 006B4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 006B4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 006B4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 006B4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 006B447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006B44A0

Strings

GetNativeSystemInfo, xrefs: 006B4460
|O, xrefs: 006F36F8
kernel32.dll, xrefs: 006B444F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9fd2830633a8d82ce32e72ced70680dd23a5e5652f6b506b8dc61b8c98d0436d
Instruction ID: 16031b828e3107327bbc0885d27cbe7bd544349ba7e0669adce6551253ec0373
Opcode Fuzzy Hash: 9fd2830633a8d82ce32e72ced70680dd23a5e5652f6b506b8dc61b8c98d0436d
Instruction Fuzzy Hash: 3FA1D4B198A2D4CFC712C7697C441E53FEEAB26710BA8C899D08193F22D66C455BCB2D

Function 006B42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006B50AA,?,?,00000000,00000000), ref: 006B42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006B50AA,?,?,00000000,00000000), ref: 006B42C9
LoadResource.KERNEL32(?,00000000,?,?,006B50AA,?,?,00000000,00000000,?,?,?,?,?,?,006B4F20), ref: 006F35BE
SizeofResource.KERNEL32(?,00000000,?,?,006B50AA,?,?,00000000,00000000,?,?,?,?,?,?,006B4F20), ref: 006F35D3
LockResource.KERNEL32(006B50AA,?,?,006B50AA,?,?,00000000,00000000,?,?,?,?,?,?,006B4F20,?), ref: 006F35E6

Strings

SCRIPT, xrefs: 006B42BF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f9641314ecb6488ff0cc594e947cabd7590d7bc247bf291a3de271d77ce8867c
Instruction ID: cecb0b362aa3d7923aced2dcd6ed26a2d990bd7d566a7107d5373eda76381caf
Opcode Fuzzy Hash: f9641314ecb6488ff0cc594e947cabd7590d7bc247bf291a3de271d77ce8867c
Instruction Fuzzy Hash: 4E117CB4241700BFE7228FA5DC49FA77BBAEFC6B51F10816AF40296260DBB1D9409620

Function 006F2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 006B2B6B

Part of subcall function 006B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00781418,?,006B2E7F,?,?,?,00000000), ref: 006B3A78

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00772224), ref: 006F2C10
ShellExecuteW.SHELL32(00000000,?,?,00772224), ref: 006F2C17

Strings

runas, xrefs: 006F2C0B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 7d69b9e82f6619a115ecbbe9fd4127512155c2d32f48e0c6eb2fdf923c97349a
Instruction ID: aaac759b80fdb9967bed73fbd3cedb7193c15322a4e683dedcefefb9a2da4315
Opcode Fuzzy Hash: 7d69b9e82f6619a115ecbbe9fd4127512155c2d32f48e0c6eb2fdf923c97349a
Instruction Fuzzy Hash: C51106B12083866AC785FF60D8619FE7BEA9F91344F44542DF246021A3CF2485CAC71A

Function 0071D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0071D501
Process32FirstW.KERNEL32(00000000,?), ref: 0071D50F
Process32NextW.KERNEL32(00000000,?), ref: 0071D52F
CloseHandle.KERNELBASE(00000000), ref: 0071D5DC

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a62e8e16ec11e9208a3b10c695582d72f50c74635fd9cb975f6f11cb533eafca
Instruction ID: 6a559e2db345d350387bf077ffa6628df695057c2fe53405fb24934cddfa0914
Opcode Fuzzy Hash: a62e8e16ec11e9208a3b10c695582d72f50c74635fd9cb975f6f11cb533eafca
Instruction Fuzzy Hash: 2831C4B11083009FD315EF54C881AEFBBF9EF99354F14092DF681821A1EB719984CBA2

Function 0071DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,006F5222), ref: 0071DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0071DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0071DBEE
FindClose.KERNEL32(00000000), ref: 0071DBFA

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: c3abbd9f8df9d873998628639edf95421ff024ccf64c1bf6080c24917f9bcefe
Instruction ID: 960b6d2ce1c208f7dcba7b3dc8fdd86dc4514d7714b014d94498296892482b28
Opcode Fuzzy Hash: c3abbd9f8df9d873998628639edf95421ff024ccf64c1bf6080c24917f9bcefe
Instruction Fuzzy Hash: 2CF082344119149B93316F6C9C0D4EA376CAE02334B108B02F535C10E0EBF85D94C9E9

Function 006D4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006E28E9,?,006D4CBE,006E28E9,007788B8,0000000C,006D4E15,006E28E9,00000002,00000000,?,006E28E9), ref: 006D4D09
TerminateProcess.KERNEL32(00000000,?,006D4CBE,006E28E9,007788B8,0000000C,006D4E15,006E28E9,00000002,00000000,?,006E28E9), ref: 006D4D10
ExitProcess.KERNEL32 ref: 006D4D22

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5da1061113eedea3b9cbb25d1dd4b170d64adb50e3e28d0b2b78fab68f99687a
Instruction ID: 215a9a542e8dcc2a0f104a2afa83651b7878b45dd8948795e0aa6d3ae9d64911
Opcode Fuzzy Hash: 5da1061113eedea3b9cbb25d1dd4b170d64adb50e3e28d0b2b78fab68f99687a
Instruction Fuzzy Hash: 84E0BF35401148ABCF626F54DD09A583B6BEF42741B148019FC058B322DB39DD41CA84

Function 006BBF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#x, xrefs: 007007CE

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#x
API String ID: 3964851224-1271349037
Opcode ID: b486393c4fbd5f510e16ce58fe4707e1c645e2d811a1b57942d9641d7aef85b0
Instruction ID: c6a201b750ecfa36bbce1eac1a249f0c6bbfeb298d9d2a0d018262c2864c30fe
Opcode Fuzzy Hash: b486393c4fbd5f510e16ce58fe4707e1c645e2d811a1b57942d9641d7aef85b0
Instruction Fuzzy Hash: 66A26EB0608341DFD750DF18C480B6AB7E2BF89324F14896DE89A8B352D775ED85CB92

Function 0073AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0073B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0073B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0073B1D4
_wcslen.LIBCMT ref: 0073B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0073B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0073B236
_wcslen.LIBCMT ref: 0073B332

Part of subcall function 007205A7: GetStdHandle.KERNEL32(000000F6), ref: 007205C6

_wcslen.LIBCMT ref: 0073B34B
_wcslen.LIBCMT ref: 0073B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0073B3B6
GetLastError.KERNEL32(00000000), ref: 0073B407
CloseHandle.KERNEL32(?), ref: 0073B439
CloseHandle.KERNEL32(00000000), ref: 0073B44A
CloseHandle.KERNEL32(00000000), ref: 0073B45C
CloseHandle.KERNEL32(00000000), ref: 0073B46E
CloseHandle.KERNEL32(?), ref: 0073B4E3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: ddb49904b478d8ff45690f645cf605ac4e48463b5f218db817ae438de1a6ee53
Instruction ID: 3e1a592663a12bf97819c23ba8f2a5acbe6499be3ffd5809fbca639b9c950735
Opcode Fuzzy Hash: ddb49904b478d8ff45690f645cf605ac4e48463b5f218db817ae438de1a6ee53
Instruction Fuzzy Hash: 0DF1BC71608340DFD764EF24C891B6EBBE6AF85310F14855DF9898B2A2DB35EC40CB96

Function 006BD730 Relevance: 21.6, APIs: 14, Instructions: 627sleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006BD807
timeGetTime.WINMM ref: 006BDA07
Sleep.KERNELBASE(0000000A), ref: 006BDBB1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: eebf25ca1e1ea4016c280aaca71291cb7dd466496040e5dfa43ce5b58e81c7a8
Instruction ID: c016dd2bdfd027a4c2bb878ecacd96ac33174097452fa3e52e1717a8bb9bac0b
Opcode Fuzzy Hash: eebf25ca1e1ea4016c280aaca71291cb7dd466496040e5dfa43ce5b58e81c7a8
Instruction Fuzzy Hash: DF4234B0604241EFD728DF24C848BEAB7E2BF45304F54861DE8558B3D2E778E885CB92

Function 006B2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006B2D07
RegisterClassExW.USER32(00000030), ref: 006B2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006B2D42
InitCommonControlsEx.COMCTL32(?), ref: 006B2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006B2D6F
LoadIconW.USER32(000000A9), ref: 006B2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006B2D94

Strings

TaskbarCreated, xrefs: 006B2D37
+, xrefs: 006B2CF0
0, xrefs: 006B2CE9
AutoIt v3 GUI, xrefs: 006B2D23

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 2baf5da3db4e3c5382812f64d0987664eb5cfdf2daa4e5d4c55cae1a93ca6cdd
Instruction ID: 673152e5dc39dc034613f64711aaa469f35cba52298d9511c80bbe3f9ba298b0
Opcode Fuzzy Hash: 2baf5da3db4e3c5382812f64d0987664eb5cfdf2daa4e5d4c55cae1a93ca6cdd
Instruction Fuzzy Hash: 0621F2B5942348AFDB41DFA4EC89BDDBBB8FB09700F10811AF511A62A0D7B91541CFA8

Function 006F065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006F039A: CreateFileW.KERNELBASE(00000000,00000000,?,006F0704,?,?,00000000,?,006F0704,00000000,0000000C), ref: 006F03B7

GetLastError.KERNEL32 ref: 006F076F
__dosmaperr.LIBCMT ref: 006F0776
GetFileType.KERNELBASE(00000000), ref: 006F0782
GetLastError.KERNEL32 ref: 006F078C
__dosmaperr.LIBCMT ref: 006F0795
CloseHandle.KERNEL32(00000000), ref: 006F07B5
CloseHandle.KERNEL32(?), ref: 006F08FF
GetLastError.KERNEL32 ref: 006F0931
__dosmaperr.LIBCMT ref: 006F0938

Strings

H, xrefs: 006F08BD

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 5540c7a0161db3c14f5ef8236e18c5388b34d9f8bfcb678a057269fb8b24652b
Instruction ID: d0b9bdec117b00cbe3b6c0474cc0a3d2b8e13c88fdfda757f13f16eecb8c37c3
Opcode Fuzzy Hash: 5540c7a0161db3c14f5ef8236e18c5388b34d9f8bfcb678a057269fb8b24652b
Instruction Fuzzy Hash: 4DA12536A001088FEF19AF68D851BBE7BA2AF06320F24415EF915DF392D7359912CB95

Function 006B344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006B3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00781418,?,006B2E7F,?,?,?,00000000), ref: 006B3A78

Part of subcall function 006B3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006B3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006B356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006F318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006F31CE
RegCloseKey.ADVAPI32(?), ref: 006F3210
_wcslen.LIBCMT ref: 006F3277
_wcslen.LIBCMT ref: 006F3286

Strings

\, xrefs: 006F328C
Include, xrefs: 006F3184, 006F31C5
\Include\, xrefs: 006B3527
Software\AutoIt v3\AutoIt, xrefs: 006B3560

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 19145d8ba459b3b1bf35924a70d20c4d054a8da9a85fb2ea53eb5e29364a418d
Instruction ID: 2dedb7c9be425cf35d5826f5731567d70f9018aa14db0b3bec2b48c33628a20c
Opcode Fuzzy Hash: 19145d8ba459b3b1bf35924a70d20c4d054a8da9a85fb2ea53eb5e29364a418d
Instruction Fuzzy Hash: CD71E4B15443009FC344EF65DC919ABBBE9FF85340F60842EF54583272EB389A49CB69

Function 006B2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 006B2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 006B2B9D
LoadIconW.USER32(00000063), ref: 006B2BB3
LoadIconW.USER32(000000A4), ref: 006B2BC5
LoadIconW.USER32(000000A2), ref: 006B2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 006B2BEF
RegisterClassExW.USER32(?), ref: 006B2C40

Part of subcall function 006B2CD4: GetSysColorBrush.USER32(0000000F), ref: 006B2D07
Part of subcall function 006B2CD4: RegisterClassExW.USER32(00000030), ref: 006B2D31
Part of subcall function 006B2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006B2D42
Part of subcall function 006B2CD4: InitCommonControlsEx.COMCTL32(?), ref: 006B2D5F
Part of subcall function 006B2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006B2D6F
Part of subcall function 006B2CD4: LoadIconW.USER32(000000A9), ref: 006B2D85
Part of subcall function 006B2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006B2D94

Strings

#, xrefs: 006B2C16
0, xrefs: 006B2C0F
AutoIt v3, xrefs: 006B2C2F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 4b4a7130c918dc98023b5de78af86d3c3b1c02f9a2733a9f32067dab64104f34
Instruction ID: a6ff2f6189c2f82676fdfffbe715e0b9d73840badad906fc03e52d20522b7730
Opcode Fuzzy Hash: 4b4a7130c918dc98023b5de78af86d3c3b1c02f9a2733a9f32067dab64104f34
Instruction Fuzzy Hash: 28214C74E81314ABDB119FA5EC55ADD7FB8FB08B50F60801AE500E6AA0D3B90541CF98

Function 006B3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,006B316A,?,?), ref: 006B31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,006B316A,?,?), ref: 006B3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006B3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,006B316A,?,?), ref: 006B3232
CreatePopupMenu.USER32 ref: 006B3246
PostQuitMessage.USER32(00000000), ref: 006B3267

Strings

TaskbarCreated, xrefs: 006B322D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: cfbb70020931543a97bf0dd9277fde5a0cdc74431dca2737badf76817a532318
Instruction ID: 885cbb43e708d2173ccc792391ff6e1a5ddcd0df48d3591f9d03cc0df4471bba
Opcode Fuzzy Hash: cfbb70020931543a97bf0dd9277fde5a0cdc74431dca2737badf76817a532318
Instruction Fuzzy Hash: 8C413CB53C0228A7DB152B7CDC1EBF93A1FEB06340F548129F501857A1CB799BC29769

Function 006B1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 006B1459
CoUninitialize.COMBASE ref: 006B14F8
UnregisterHotKey.USER32(?), ref: 006B16DD
DestroyWindow.USER32(?), ref: 006F24B9
FreeLibrary.KERNEL32(?), ref: 006F251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 006F254B

Strings

close all, xrefs: 006B1454

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 45dc2ae1053037901bffcd7385c4896bafc08b459fbaeb7ef725d564e35cddde
Instruction ID: 52aff5d19c44e3d1baca7a8b1a972e6eec7b9f9e51a4deda5227542e6188f654
Opcode Fuzzy Hash: 45dc2ae1053037901bffcd7385c4896bafc08b459fbaeb7ef725d564e35cddde
Instruction Fuzzy Hash: 58D18EB1702212DFCB19EF14C4A9AA9F7A2BF06700F5441ADE54AAB352DB30ED52CF54

Function 006B2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006B2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 006B2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,006B1CAD,?), ref: 006B2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,006B1CAD,?), ref: 006B2CCF

Strings

edit, xrefs: 006B2CAC
AutoIt v3, xrefs: 006B2C89, 006B2C8E, 006B2C8F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 729e447c8dc93d42c62c43f4f82da4c561a08dfd7867daff2749081142d6b20c
Instruction ID: da5b81492e6f7123b275cf942dfe7a8603485d2373b8926d5e4b752b5ac1cca5
Opcode Fuzzy Hash: 729e447c8dc93d42c62c43f4f82da4c561a08dfd7867daff2749081142d6b20c
Instruction Fuzzy Hash: 06F0DA755813907AEB721717AC08EB72EBDD7C7F50B60805AF900A29A0C6791852DBB8

Function 006B3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006B3B0F,SwapMouseButtons,00000004,?), ref: 006B3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006B3B0F,SwapMouseButtons,00000004,?), ref: 006B3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,006B3B0F,SwapMouseButtons,00000004,?), ref: 006B3B83

Strings

Control Panel\Mouse, xrefs: 006B3B3E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 6241404e3dfe39d679eaacec566de373e60bd3d3463c253934a7798a43dc2434
Instruction ID: ac16a5ff3a0f2fe65c33a2106c11ca8b1aad6b344424ec997b041c4b492c0bea
Opcode Fuzzy Hash: 6241404e3dfe39d679eaacec566de373e60bd3d3463c253934a7798a43dc2434
Instruction Fuzzy Hash: 99115AB5611218FFDB218FA4DC44AEEB7B9EF21740B10855AA801D7224E6319E809764

Function 006B3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006F33A2

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 006B3A04

Strings

Line: , xrefs: 006F33EB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 838229cdb1473bf5ab57d69ae1e37e1281fa410c8f39b1dcd1b651c131be2415
Instruction ID: b1d3c68777ab5e33dc84b6fa19429ca035419538322494e5333f538227ebafe4
Opcode Fuzzy Hash: 838229cdb1473bf5ab57d69ae1e37e1281fa410c8f39b1dcd1b651c131be2415
Instruction Fuzzy Hash: 6B3124B1548320AFC761EB20DC45BEBB7DDAB40310F10452EF19983291EF749A89C7CA

Function 006B2DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 006F2C8C

Part of subcall function 006B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006B3A97,?,?,006B2E7F,?,?,?,00000000), ref: 006B3AC2

Part of subcall function 006B2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B2DC4

Strings

X, xrefs: 006F2C5A
`ew, xrefs: 006F2C85

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ew
API String ID: 779396738-2133719843
Opcode ID: cbf8f498536339ed97000d2f9646e59ef713fd5c9abec132a4e98f563530c5a4
Instruction ID: 22270bde764402dbdea795cd324978ebcb09c17c0ef6f4a2fd42a4f1c63997e0
Opcode Fuzzy Hash: cbf8f498536339ed97000d2f9646e59ef713fd5c9abec132a4e98f563530c5a4
Instruction Fuzzy Hash: 112196B1A002589BCF41DF94C8557EE7BF9AF49304F00805DE505A7345DBB856898F65

Function 006CFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 006D0668

Part of subcall function 006D32A4: RaiseException.KERNEL32(?,?,?,006D068A,?,00781444,?,?,?,?,?,?,006D068A,006B1129,00778738,006B1129), ref: 006D3304

__CxxThrowException@8.LIBVCRUNTIME ref: 006D0685

Strings

Unknown exception, xrefs: 006D0692

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 04c25ba4c484afcd653ed612c6422d884b8e9ba4a0aa6dc1da8fd01efcde8e01
Instruction ID: c8f83dce3f7f5dc5721d044a72896a7794714f0ef9dc770e7ff240fa818bcbd6
Opcode Fuzzy Hash: 04c25ba4c484afcd653ed612c6422d884b8e9ba4a0aa6dc1da8fd01efcde8e01
Instruction Fuzzy Hash: D0F0A424D0024977CB40B664E84AEAD776F9E00350B60413BB81496792EF71EA1585C5

Function 006B10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B1BF4
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 006B1BFC
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B1C07
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B1C12
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 006B1C1A
Part of subcall function 006B1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 006B1C22

Part of subcall function 006B1B4A: RegisterWindowMessageW.USER32(00000004,?,006B12C4), ref: 006B1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 006B136A
OleInitialize.OLE32 ref: 006B1388
CloseHandle.KERNEL32(00000000,00000000), ref: 006F24AB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: aea2fbd84bcc7b3d857bc23e0c4b1d1933fda8a6e3854ce0d9116e3d79ea4359
Instruction ID: 080587d244d91b0aa8ccb1bfcec072968af356a1123da6aacd0e080c7bc313d2
Opcode Fuzzy Hash: aea2fbd84bcc7b3d857bc23e0c4b1d1933fda8a6e3854ce0d9116e3d79ea4359
Instruction Fuzzy Hash: 2F717CB49912409EC384EF79A8566953BE9BB893547E4C13E900AC7361EB3C4462CF5D

Function 0071C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 006B3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0071C259
KillTimer.USER32(?,00000001,?,?), ref: 0071C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0071C270

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 3297cb1a2c3704a7487a0a09a8892f3e1e9b53d1f4699b764b7804de0d11b412
Instruction ID: 8830c75d8b1e13808c44258260d6024a3d08605a64dc62986d3e3f5b267dc455
Opcode Fuzzy Hash: 3297cb1a2c3704a7487a0a09a8892f3e1e9b53d1f4699b764b7804de0d11b412
Instruction Fuzzy Hash: B931E570940344AFEB738FA88855BEBBBFCAB06304F00409ED2DA93281C3785AC4CB55

Function 006E86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006E85CC,?,00778CC8,0000000C), ref: 006E8704
GetLastError.KERNEL32(?,006E85CC,?,00778CC8,0000000C), ref: 006E870E
__dosmaperr.LIBCMT ref: 006E8739

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 55b71263421fa9e933d19a3ef72774331f67eaedc7a6d549d754aa297fed2436
Instruction ID: 656b395d3841ec5066dcd7984a7ee55f7276bccd10e228bb0147258794952214
Opcode Fuzzy Hash: 55b71263421fa9e933d19a3ef72774331f67eaedc7a6d549d754aa297fed2436
Instruction Fuzzy Hash: 34016F326073E01EC6A0633658457BE67474B82778F35011DF81D8F2D3DF648C818294

Function 006BDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 006BDB7B
DispatchMessageW.USER32(?), ref: 006BDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006BDB9F
Sleep.KERNELBASE(0000000A), ref: 006BDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00701CC9

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 6e68efade84bddeb4f060d6b8bf8b145961c94d9d8fc0e888017ad8a6eca0a40
Instruction ID: bf717351378b28549e4d15d4ab72121a3abc617bb1f62d988ef1a13b663a57f7
Opcode Fuzzy Hash: 6e68efade84bddeb4f060d6b8bf8b145961c94d9d8fc0e888017ad8a6eca0a40
Instruction Fuzzy Hash: 7BF05E706453409BEB70CB608C49FEA73ADEB45310F508A29E61A870C0EB38A4898B29

Function 006C1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006C17F6

Strings

CALL, xrefs: 006C17C6

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 54c3d3f8be0651b3580422e019d8f157507423d94fb847d48caec748da3762fd
Instruction ID: a468badac148e2ac9fd4b18619f7f1c5226511af67e21f20db162efbc4f52eeb
Opcode Fuzzy Hash: 54c3d3f8be0651b3580422e019d8f157507423d94fb847d48caec748da3762fd
Instruction Fuzzy Hash: 2F2269B0608201DFC714DF14C894F6ABBE2EF8A314F24895DF4968B3A2D735E951CB96

Function 006B3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 006B3908

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f6638d1e66fbe6682906eb0ea1902d3151d42f6aa15ee5043bb249cc81cea6a3
Instruction ID: 3fbb0db324c987eea548db56863279263ca514b8fe0458fe167c6e6c96d3b80f
Opcode Fuzzy Hash: f6638d1e66fbe6682906eb0ea1902d3151d42f6aa15ee5043bb249cc81cea6a3
Instruction Fuzzy Hash: 4C31ACB0A043119FD361DF24D8847D7BBE8FB49308F00092EF69A83780E775AA85CB56

Function 006CF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006CF661

Part of subcall function 006BD730: GetInputState.USER32 ref: 006BD807

Sleep.KERNEL32(00000000), ref: 0070F2DE

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 44e3b766135a6f31fe37d97a7cd41b13c7a17e82a9a9a8cf0b1ccfc894de3bba
Instruction ID: 47a8d6f2a10b205f832b63076b0e613d97ffd6356c43b83c45f2151df51f9517
Opcode Fuzzy Hash: 44e3b766135a6f31fe37d97a7cd41b13c7a17e82a9a9a8cf0b1ccfc894de3bba
Instruction Fuzzy Hash: D9F082752402059FD350EF65D445BAAB7E9FF45760F00402EE85AC7260DB70A840CB95

Function 006B4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006B4EDD,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E9C
Part of subcall function 006B4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006B4EAE
Part of subcall function 006B4E90: FreeLibrary.KERNEL32(00000000,?,?,006B4EDD,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4EFD

Part of subcall function 006B4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F3CDE,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E62
Part of subcall function 006B4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006B4E74
Part of subcall function 006B4E59: FreeLibrary.KERNEL32(00000000,?,?,006F3CDE,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E87

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: be33a873cbdb6268b7a86f0f4d994e927baec1b6fe0f63d038017e25292819fa
Instruction ID: 0f53cb24f48c8b1e3ff72aaef45c9cee3249f3338af0b0b66434302eb69e1126
Opcode Fuzzy Hash: be33a873cbdb6268b7a86f0f4d994e927baec1b6fe0f63d038017e25292819fa
Instruction Fuzzy Hash: 7911E772600305AACF64BB64DC02FFD77AAAF80710F10842DF542A72C2DE75DA859758

Function 006E8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 006E8440

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ee6874fc61751c6c13f667b3de536704b01bc3ae5fda8fe1a32c6e1c1a5d5503
Instruction ID: d96037e366d99f625c49965181b48bc8d97792c47584c9ab6fe75dcee5382aaa
Opcode Fuzzy Hash: ee6874fc61751c6c13f667b3de536704b01bc3ae5fda8fe1a32c6e1c1a5d5503
Instruction Fuzzy Hash: 4711187590420AEFCB05DF59E9419DA7BF5EF48314F104059F808AB352DA31DA11CBA5

Function 006E5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006E4C7D: RtlAllocateHeap.NTDLL(00000008,006B1129,00000000,?,006E2E29,00000001,00000364,?,?,?,006DF2DE,006E3863,00781444,?,006CFDF5,?), ref: 006E4CBE

_free.LIBCMT ref: 006E506C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 17121daef634b8f591750a526defdc9f57f9ffc2ab7e44975b03e07902c15fce
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: F50149722057456FE3318F66D885A9AFBEEFB89370F25051DF185832C0EA70A805C7B4

Function 006DE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: b92c6a3ddeadec82131c1094ec7ca5e264ffc5d17c94b27df5f7b39887241393
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: C7F0F932D11B549AC6313A668C05B96339F9F52335F10071FF4259B3D2DB75E40286ED

Function 006E4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,006B1129,00000000,?,006E2E29,00000001,00000364,?,?,?,006DF2DE,006E3863,00781444,?,006CFDF5,?), ref: 006E4CBE

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 59f2b2f031493d1ce0c13e6143dac6f5df63fce837e037b4f245104a0d55ebcf
Instruction ID: 207ae60ef81d0fb3e3f4d2daa3a968ef5229a2621b69482f0e7223d85076a924
Opcode Fuzzy Hash: 59f2b2f031493d1ce0c13e6143dac6f5df63fce837e037b4f245104a0d55ebcf
Instruction Fuzzy Hash: E6F0B4316033A467DB215F739C05F9A378BAF81BA0B348116B81AAB794CE30DC0186E4

Function 006E3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7879e6c2af2cc36f6256852068dca1c931be8d247b02db2e1c854bb2b5598909
Instruction ID: dc203de53317e52b7134f5a5ca4d7145d8f224d5c940461b545a6b0fef3ccd17
Opcode Fuzzy Hash: 7879e6c2af2cc36f6256852068dca1c931be8d247b02db2e1c854bb2b5598909
Instruction Fuzzy Hash: E2E030315033B466D63126A79C09BDB375BAF827B0B150126B81697791DB21DE0282E5

Function 006B4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4F6D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 53df3f1f6d348092874c3c45cbed51fe9dd025349542a6a7d9464e5760f070ba
Instruction ID: 6dcaa52789ce5f26906b4183e7393e072f2dba45734362cc61c35f789a4401fc
Opcode Fuzzy Hash: 53df3f1f6d348092874c3c45cbed51fe9dd025349542a6a7d9464e5760f070ba
Instruction Fuzzy Hash: E5F030B1505751CFDB349F64D4908A2B7FAEF55319310C97EE2DA83612CB319884DF10

Function 00742A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00742A66

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 39d3347f1ef5c65f2d5704b269a24be43da3e74399b11cd335731c5918ecf56b
Instruction ID: b489bd04daf869ed7c38deee8f487cdc7b84b502896d75ad19cc8caa34c0746e
Opcode Fuzzy Hash: 39d3347f1ef5c65f2d5704b269a24be43da3e74399b11cd335731c5918ecf56b
Instruction Fuzzy Hash: A5E0DF3636012AAAC710EA30EC888FA734CEB113957508536BC2AC3141DB389AA286A0

Function 006B30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 006B314E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: cc560e2c1543302d4b71f2391a83cf8cc502eb3ac1993b51457c7f1c678849fb
Instruction ID: f59aa365fb19aee8ed38e9db5c48b3d26091800b6c68119379719c53baf72234
Opcode Fuzzy Hash: cc560e2c1543302d4b71f2391a83cf8cc502eb3ac1993b51457c7f1c678849fb
Instruction Fuzzy Hash: EDF0A7709403149FE7929B24DC467D57BBCA701708F1040E9A24896681D7744789CF45

Function 006B2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B2DC4

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4384e8511b0d1b84f84054ffa7d18190beb261cea16c3a40efe67d8bc5175b32
Instruction ID: 4591020e09749641a246dbd2ad85dd08ecba521cec89e9e65d79d7fa8b52bbf1
Opcode Fuzzy Hash: 4384e8511b0d1b84f84054ffa7d18190beb261cea16c3a40efe67d8bc5175b32
Instruction Fuzzy Hash: 2AE0CD766011245BC7519258DC05FEA77EDDFC97D0F044075FE09D7248DAA4AD808654

Function 006B2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006B3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006B3908

Part of subcall function 006BD730: GetInputState.USER32 ref: 006BD807

SetCurrentDirectoryW.KERNEL32(?), ref: 006B2B6B

Part of subcall function 006B30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 006B314E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f9e41a36e25e7a7e5337b698baed039f6aff837f4e4719f8a8de7219fb0b46d7
Instruction ID: 8be5278c8193e966840eb1902d4e66d92166d433664e5f1d29f124230dea19ef
Opcode Fuzzy Hash: f9e41a36e25e7a7e5337b698baed039f6aff837f4e4719f8a8de7219fb0b46d7
Instruction Fuzzy Hash: 23E086B130425406CA88BB7498625EDA75F9FD1355F40553EF14647263DF2845C6435A

Function 006F039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,006F0704,?,?,00000000,?,006F0704,00000000,0000000C), ref: 006F03B7

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 03c6b1d9d9bb810be109e416143d6b074482dcbdcc8742af6b452fc33ca91b8d
Instruction ID: a8e1204b23f489aef5dfd13061e1e69818044aaeb71be69b1e3bc348309604b5
Opcode Fuzzy Hash: 03c6b1d9d9bb810be109e416143d6b074482dcbdcc8742af6b452fc33ca91b8d
Instruction Fuzzy Hash: 56D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C736E821AB94

Function 006B1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 006B1CBC

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: de1c93110ed49338e2a6a2a7ce928533ec0a6e23f96ad879310d87e8537a2823
Instruction ID: 03a91f33f04892cff53d1d0189618c0f9a66b29a7f218f03096e854dd0c8051e
Opcode Fuzzy Hash: de1c93110ed49338e2a6a2a7ce928533ec0a6e23f96ad879310d87e8537a2823
Instruction Fuzzy Hash: 9DC09B352C03049FF2154780FC5AF547758A348B01F74C001F709955E3C3A51431D758

Non-executed Functions

Function 00749576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0074961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0074965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0074969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007496C9
SendMessageW.USER32 ref: 007496F2
GetKeyState.USER32(00000011), ref: 0074978B
GetKeyState.USER32(00000009), ref: 00749798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007497AE
GetKeyState.USER32(00000010), ref: 007497B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007497E9
SendMessageW.USER32 ref: 00749810
SendMessageW.USER32(?,00001030,?,00747E95), ref: 00749918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0074992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00749941
SetCapture.USER32(?), ref: 0074994A
ClientToScreen.USER32(?,?), ref: 007499AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 007499BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007499D6
ReleaseCapture.USER32 ref: 007499E1
GetCursorPos.USER32(?), ref: 00749A19
ScreenToClient.USER32(?,?), ref: 00749A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00749A80
SendMessageW.USER32 ref: 00749AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00749AEB
SendMessageW.USER32 ref: 00749B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00749B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00749B4A
GetCursorPos.USER32(?), ref: 00749B68
ScreenToClient.USER32(?,?), ref: 00749B75
GetParent.USER32(?), ref: 00749B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00749BFA
SendMessageW.USER32 ref: 00749C2B
ClientToScreen.USER32(?,?), ref: 00749C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00749CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00749CDE
SendMessageW.USER32 ref: 00749D01
ClientToScreen.USER32(?,?), ref: 00749D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00749D82

Part of subcall function 006C9944: GetWindowLongW.USER32(?,000000EB), ref: 006C9952

GetWindowLongW.USER32(?,000000F0), ref: 00749E05

Strings

@GUI_DRAGID, xrefs: 0074997D
p#x, xrefs: 00749990
F, xrefs: 00749D07

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#x
API String ID: 3429851547-3050798211
Opcode ID: 227edda5a3fa29fe2a7d1f73abf6bbcaec8bddfeeb96c5f6c027cbcaf6420578
Instruction ID: 0ae915034414560e6f05f5efcdc309597a8bf48c895bfbd4cbde5e0caa30b8e1
Opcode Fuzzy Hash: 227edda5a3fa29fe2a7d1f73abf6bbcaec8bddfeeb96c5f6c027cbcaf6420578
Instruction Fuzzy Hash: 06428A34204241EFDB25CF24CC44EABBBE9FF49310F11865AF699872A1D739A851CF56

Function 00744873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007448F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00744908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00744927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0074494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0074495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0074497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007449AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007449D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00744A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00744A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00744A7E
IsMenu.USER32(?), ref: 00744A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00744AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00744B20
GetWindowLongW.USER32(?,000000F0), ref: 00744B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00744BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00744C82
wsprintfW.USER32 ref: 00744CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00744CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00744CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00744D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00744D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00744D5A

Strings

%d/%02d/%02d, xrefs: 00744CA8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b634b41dc624ca908c1a1cb549ae0ac5c9b674289fcf5964b2edb57af2a42c81
Instruction ID: 3e808342bb0d14fdf147d8110bb034c5db60bb3ffde9bec89fa7e4f26df7325a
Opcode Fuzzy Hash: b634b41dc624ca908c1a1cb549ae0ac5c9b674289fcf5964b2edb57af2a42c81
Instruction Fuzzy Hash: 40122271600214ABEB258F24CC49FAE7BF9FF46310F14816AF916EB2E1DB789941DB50

Function 006CF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 006CF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0070F474
IsIconic.USER32(00000000), ref: 0070F47D
ShowWindow.USER32(00000000,00000009), ref: 0070F48A
SetForegroundWindow.USER32(00000000), ref: 0070F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0070F4AA
GetCurrentThreadId.KERNEL32 ref: 0070F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0070F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0070F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0070F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0070F4DE
SetForegroundWindow.USER32(00000000), ref: 0070F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070F4F6
keybd_event.USER32(00000012,00000000), ref: 0070F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070F50B
keybd_event.USER32(00000012,00000000), ref: 0070F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070F519
keybd_event.USER32(00000012,00000000), ref: 0070F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0070F528
keybd_event.USER32(00000012,00000000), ref: 0070F52D
SetForegroundWindow.USER32(00000000), ref: 0070F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0070F557

Strings

Shell_TrayWnd, xrefs: 0070F46F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 9dc0b9ec8ff8306b2a0e67134a8406b423456c35f758e474fa36152a9f7cfb1d
Instruction ID: 2aea01617726a223ef4611528815de8a4d4356db79b2d9b9d49cf13ae1a5fd84
Opcode Fuzzy Hash: 9dc0b9ec8ff8306b2a0e67134a8406b423456c35f758e474fa36152a9f7cfb1d
Instruction Fuzzy Hash: 4431C675A41318BFEB316BB54C4AFBF7EACEB45B50F204026FA00E61D1C7B85D10AA65

Function 00711201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0071170D
Part of subcall function 007116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0071173A
Part of subcall function 007116C3: GetLastError.KERNEL32 ref: 0071174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00711286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007112A8
CloseHandle.KERNEL32(?), ref: 007112B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007112D1
GetProcessWindowStation.USER32 ref: 007112EA
SetProcessWindowStation.USER32(00000000), ref: 007112F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00711310

Part of subcall function 007110BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007111FC), ref: 007110D4
Part of subcall function 007110BF: CloseHandle.KERNEL32(?,?,007111FC), ref: 007110E9

Strings

winsta0, xrefs: 007112CC
default, xrefs: 0071130B
Zw, xrefs: 00711392
, xrefs: 0071125A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zw
API String ID: 22674027-1034679043
Opcode ID: 500ddc23b60dba829bae59bb5340e7f9ae1295f8f8f493bfc76a649f017614f7
Instruction ID: be402bd6f873e81b3df66918cb39fb28c481c70058b3ff2e727ad854c53a20b6
Opcode Fuzzy Hash: 500ddc23b60dba829bae59bb5340e7f9ae1295f8f8f493bfc76a649f017614f7
Instruction Fuzzy Hash: 4981C371900249AFDF11DFA8DC49FEE7BB9EF05704F14812AFE10AA1A0D7798984CB65

Function 00710B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00711114
Part of subcall function 007110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711120
Part of subcall function 007110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 0071112F
Part of subcall function 007110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711136
Part of subcall function 007110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0071114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00710BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00710C00
GetLengthSid.ADVAPI32(?), ref: 00710C17
GetAce.ADVAPI32(?,00000000,?), ref: 00710C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00710C6D
GetLengthSid.ADVAPI32(?), ref: 00710C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00710C8C
HeapAlloc.KERNEL32(00000000), ref: 00710C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00710CB4
CopySid.ADVAPI32(00000000), ref: 00710CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00710CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00710D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00710D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710D45
HeapFree.KERNEL32(00000000), ref: 00710D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710D55
HeapFree.KERNEL32(00000000), ref: 00710D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710D65
HeapFree.KERNEL32(00000000), ref: 00710D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00710D78
HeapFree.KERNEL32(00000000), ref: 00710D7F

Part of subcall function 00711193: GetProcessHeap.KERNEL32(00000008,00710BB1,?,00000000,?,00710BB1,?), ref: 007111A1
Part of subcall function 00711193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00710BB1,?), ref: 007111A8
Part of subcall function 00711193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00710BB1,?), ref: 007111B7

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1fd6efc5267ef28d7f390a7c6a5ff3ee8bedddf58021a3e66b85bad4908d76ff
Instruction ID: f878da1dda100ff84a8eba2cb26f3a15f90311716c016df15bb469e7792e290a
Opcode Fuzzy Hash: 1fd6efc5267ef28d7f390a7c6a5ff3ee8bedddf58021a3e66b85bad4908d76ff
Instruction Fuzzy Hash: 5F7190B5A0120AABDF11DFE8DC45FEEBBB8BF05300F048115E954A7191D7B9A985CBA0

Function 0072EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0074CC08), ref: 0072EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0072EB37
GetClipboardData.USER32(0000000D), ref: 0072EB43
CloseClipboard.USER32 ref: 0072EB4F
GlobalLock.KERNEL32(00000000), ref: 0072EB87
CloseClipboard.USER32 ref: 0072EB91
GlobalUnlock.KERNEL32(00000000), ref: 0072EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0072EBC9
GetClipboardData.USER32(00000001), ref: 0072EBD1
GlobalLock.KERNEL32(00000000), ref: 0072EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0072EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0072EC38
GetClipboardData.USER32(0000000F), ref: 0072EC44
GlobalLock.KERNEL32(00000000), ref: 0072EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0072EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0072EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0072ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0072ECF3
CountClipboardFormats.USER32 ref: 0072ED14
CloseClipboard.USER32 ref: 0072ED59

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: cf91f4acb537d6dfe6711c8b685ea4332865801f63d743b755bae40bc168be68
Instruction ID: 02fbddb7567a2e78a0bfbfe3852d6882bc0c1cc7905fdbe34cf81aa7e7436b6b
Opcode Fuzzy Hash: cf91f4acb537d6dfe6711c8b685ea4332865801f63d743b755bae40bc168be68
Instruction Fuzzy Hash: 4561F178204301AFD341EF24E888F6A7BE4BF85714F18851EF456872A2CB79DD45CB66

Function 0072698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007269BE
FindClose.KERNEL32(00000000), ref: 00726A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00726A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00726A75

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00726AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00726ADF

Strings

%03d, xrefs: 00726DA2
%02d, xrefs: 00726C00, 00726C0A, 00726C5A, 00726CAA, 00726CFA, 00726D4A
%4d, xrefs: 00726BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00726B32
%4d%02d%02d%02d%02d%02d, xrefs: 00726B6A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: cd2de3e49a2c1147dc4ab25ef1ce1ec61680c7562a0fc8291b77242ca26fa0e7
Instruction ID: d581453a8e67b4c83fab8881cc3ac1ef65d86a16054adc36b8c3aedd9b1ab374
Opcode Fuzzy Hash: cd2de3e49a2c1147dc4ab25ef1ce1ec61680c7562a0fc8291b77242ca26fa0e7
Instruction Fuzzy Hash: 94D151B2508300AFC754EB64D885EBBB7FDAF88704F04491EF589D6191EB78DA44CB62

Function 00729642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00729663
GetFileAttributesW.KERNEL32(?), ref: 007296A1
SetFileAttributesW.KERNEL32(?,?), ref: 007296BB
FindNextFileW.KERNEL32(00000000,?), ref: 007296D3
FindClose.KERNEL32(00000000), ref: 007296DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007296FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0072974A
SetCurrentDirectoryW.KERNEL32(00776B7C), ref: 00729768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00729772
FindClose.KERNEL32(00000000), ref: 0072977F
FindClose.KERNEL32(00000000), ref: 0072978F

Strings

*.*, xrefs: 007296F5

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 7a85af0e7c8f78c3b8ffa089cda6d7e6df392c3264e94c25a21cf22abf8c0c86
Instruction ID: 8d696d3a32bdfb7673d896e19f6db73c8d418dc6e1b2abd5883d87be235037b3
Opcode Fuzzy Hash: 7a85af0e7c8f78c3b8ffa089cda6d7e6df392c3264e94c25a21cf22abf8c0c86
Instruction Fuzzy Hash: C53108765416296FDF10DFB4EC48ADE77BCAF0A320F14805AFA05E21A0DB78DE448E18

Function 0072979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 007297BE
FindNextFileW.KERNEL32(00000000,?), ref: 00729819
FindClose.KERNEL32(00000000), ref: 00729824
FindFirstFileW.KERNEL32(*.*,?), ref: 00729840
SetCurrentDirectoryW.KERNEL32(?), ref: 00729890
SetCurrentDirectoryW.KERNEL32(00776B7C), ref: 007298AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007298B8
FindClose.KERNEL32(00000000), ref: 007298C5
FindClose.KERNEL32(00000000), ref: 007298D5

Part of subcall function 0071DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0071DB00

Strings

*.*, xrefs: 0072983B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ab57a9fb00af715f071e7c813ace874595a35d78d6278ccd5298663659f96ae7
Instruction ID: 38bee5507e40f39801d64df12b757e3566a550d75d4df430d4663c54ef5ab5d5
Opcode Fuzzy Hash: ab57a9fb00af715f071e7c813ace874595a35d78d6278ccd5298663659f96ae7
Instruction Fuzzy Hash: 6E31D871541629AAEF15DFB4EC48ADE77ACAF06320F188156E614E21A0DB78DE44CB24

Function 0073BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0073C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073C9F1
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA68
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0073BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0073BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0073C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0073C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0073C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0073C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0073C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0073C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0073C382
RegCloseKey.ADVAPI32(00000000), ref: 0073C38F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: dbe7b818bd3f012803b88f07c33bd88c630dc55221fbbe5ab5f6fdc74c8ef9cd
Instruction ID: e5710fa15bb36306348a4ceb873d400161d7a9d064bde43c94245781e9ce333c
Opcode Fuzzy Hash: dbe7b818bd3f012803b88f07c33bd88c630dc55221fbbe5ab5f6fdc74c8ef9cd
Instruction Fuzzy Hash: 64026E71604200AFD755DF28C891E2ABBE5EF89304F18C49DF84ADB2A2DB35EC45CB52

Function 00728195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00728257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00728267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00728273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00728310
SetCurrentDirectoryW.KERNEL32(?), ref: 00728324
SetCurrentDirectoryW.KERNEL32(?), ref: 00728356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0072838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00728395

Strings

*.*, xrefs: 0072839B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: aa0b90d4643c6a68a1c02416e5573d987bbc464ebad019d6df9be581401c2091
Instruction ID: 92c93a46780408dd3a05b36d6476cb9a5069089648c49e0b83ff265a7cb8a83f
Opcode Fuzzy Hash: aa0b90d4643c6a68a1c02416e5573d987bbc464ebad019d6df9be581401c2091
Instruction Fuzzy Hash: 8061ADB25043159FCB50EF64D8409AEB3E9FF89310F04891EF989C7251EB3AE945CB96

Function 0071D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006B3A97,?,?,006B2E7F,?,?,?,00000000), ref: 006B3AC2

Part of subcall function 0071E199: GetFileAttributesW.KERNEL32(?,0071CF95), ref: 0071E19A

FindFirstFileW.KERNEL32(?,?), ref: 0071D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0071D1DD
MoveFileW.KERNEL32(?,?), ref: 0071D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0071D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0071D237

Part of subcall function 0071D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0071D21C,?,?), ref: 0071D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0071D253
FindClose.KERNEL32(00000000), ref: 0071D264

Strings

\*.*, xrefs: 0071D0CD, 0071D0D6, 0071D0EB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: d5afc55a3306a1ae572474b28cbc76b0227d89aa35fb1d57d89c4b345e50aec3
Instruction ID: d51470742ca4a66af165ee0162611eb67ec4c24c95b046bf2fa5d1cedcefecea
Opcode Fuzzy Hash: d5afc55a3306a1ae572474b28cbc76b0227d89aa35fb1d57d89c4b345e50aec3
Instruction Fuzzy Hash: 20617D7180111DABCF15EBE8CD929EDB7B6AF15300F248169E40277191EB38AF89DF64

Function 0072ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0072ED91
EmptyClipboard.USER32 ref: 0072ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0072EDAC
CloseClipboard.USER32 ref: 0072EEA3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 054b1d3ae5b6fb02088b62248d26a43e83501da242fff2da9633abb44baff6cb
Instruction ID: 784f39c654e5012f12ac953fd28ec45b252bc917e748605021c986b454c0bbb8
Opcode Fuzzy Hash: 054b1d3ae5b6fb02088b62248d26a43e83501da242fff2da9633abb44baff6cb
Instruction Fuzzy Hash: 0541EF35604221AFE321CF15E888B29BBE5FF44328F15C09EE4158BB62C779EC41CB95

Function 0071E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007116C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0071170D
Part of subcall function 007116C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0071173A
Part of subcall function 007116C3: GetLastError.KERNEL32 ref: 0071174A

ExitWindowsEx.USER32(?,00000000), ref: 0071E932

Strings

SeShutdownPrivilege, xrefs: 0071E902
@, xrefs: 0071E925
, xrefs: 0071E920
, xrefs: 0071E95C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 37aa2a47cb919d5f8dc5eae9d846ad63a0c95fc54df73c50d2666da79651ebfa
Instruction ID: 5ea392b2419ab3afca987bb8f3797ae2b9b7bbb676e1c54474b51fc7f7205045
Opcode Fuzzy Hash: 37aa2a47cb919d5f8dc5eae9d846ad63a0c95fc54df73c50d2666da79651ebfa
Instruction Fuzzy Hash: EE01F976A10311ABEB5466BC9C8AFFF726CAB18750F154422FD03E21D1D6AD7CC085A5

Function 00731204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00731276
WSAGetLastError.WSOCK32 ref: 00731283
bind.WSOCK32(00000000,?,00000010), ref: 007312BA
WSAGetLastError.WSOCK32 ref: 007312C5
closesocket.WSOCK32(00000000), ref: 007312F4
listen.WSOCK32(00000000,00000005), ref: 00731303
WSAGetLastError.WSOCK32 ref: 0073130D
closesocket.WSOCK32(00000000), ref: 0073133C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 939d7713f7d6ab3f18aafa4f4c8f72daf1482eeb1c7dd4248da45d462cafab4f
Instruction ID: 5b14cff819d54bfc1991ece1dc343884e1fb94a806cbb93455284b6261955dd8
Opcode Fuzzy Hash: 939d7713f7d6ab3f18aafa4f4c8f72daf1482eeb1c7dd4248da45d462cafab4f
Instruction Fuzzy Hash: B44191756001109FE710DF24C488B6ABBE6BF86318F58C199E8568F297C779ED81CBE1

Function 006EB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006EB9D4
_free.LIBCMT ref: 006EB9F8
_free.LIBCMT ref: 006EBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00753700), ref: 006EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0078121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00781270,000000FF,?,0000003F,00000000,?), ref: 006EBC36
_free.LIBCMT ref: 006EBD4B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: b608c816fabaa05b17cfbe50cdfb5a523ea018b8eff14ec7414618ac72d88836
Instruction ID: 3716d2206dc101003a25bd0c336991ded3fc666096cfa4bd86ddb93fb362959d
Opcode Fuzzy Hash: b608c816fabaa05b17cfbe50cdfb5a523ea018b8eff14ec7414618ac72d88836
Instruction Fuzzy Hash: D4C13A71A063859FCB209F6A8C41AEB7BABEF41310F28516EE490D7351DB308D428B54

Function 0071D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006B3A97,?,?,006B2E7F,?,?,?,00000000), ref: 006B3AC2

Part of subcall function 0071E199: GetFileAttributesW.KERNEL32(?,0071CF95), ref: 0071E19A

FindFirstFileW.KERNEL32(?,?), ref: 0071D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0071D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0071D481
FindClose.KERNEL32(00000000), ref: 0071D498
FindClose.KERNEL32(00000000), ref: 0071D4A1

Strings

\*.*, xrefs: 0071D3F2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: d4be3f2508cded78ab1e8599c538eb02da3bd394d31e8233e15f57cc728bd6ca
Instruction ID: c01b8233e65b94deb1f9f5e86f301de724224fcae3b484137b5d672efd3e8c28
Opcode Fuzzy Hash: d4be3f2508cded78ab1e8599c538eb02da3bd394d31e8233e15f57cc728bd6ca
Instruction Fuzzy Hash: FD31B071008391ABC355EF64C8918EF77E9BE92300F404E1EF8D142191EB74AE49CB67

Function 006EE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 006EE645

Strings

1#QNAN, xrefs: 006EF84B
1#SNAN, xrefs: 006EF844
1#INF, xrefs: 006EF852
1#IND, xrefs: 006EF83D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e50d47826e3b15e854738fd145fdb4881bb4975c9f0cff77c0c3c8bfbe5ae56b
Instruction ID: 68e551c6f44f3efc3e640a14504317579f915fbe42a71ee5ebcba193a94bb181
Opcode Fuzzy Hash: e50d47826e3b15e854738fd145fdb4881bb4975c9f0cff77c0c3c8bfbe5ae56b
Instruction Fuzzy Hash: 41C25B71E056688FDB25CF29DD407EAB7B6EB48305F1441EAD80DE7281E779AE818F40

Function 0072648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007264DC
CoInitialize.OLE32(00000000), ref: 00726639
CoCreateInstance.OLE32(0074FCF8,00000000,00000001,0074FB68,?), ref: 00726650
CoUninitialize.OLE32 ref: 007268D4

Strings

.lnk, xrefs: 007264BA, 00726524, 007265E0

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 4ea5fc9d8e65f1575f0720c5b6500eda0ebd631b8edc6886c70d369b4931700a
Instruction ID: c368b0d46671e3ff412e2c57068f726b531aad9ab6f2d34a06ba1de217955722
Opcode Fuzzy Hash: 4ea5fc9d8e65f1575f0720c5b6500eda0ebd631b8edc6886c70d369b4931700a
Instruction Fuzzy Hash: DBD14AB1508311AFC354EF24C8819ABB7E9FF94704F10496DF5958B2A1EB70ED45CBA2

Function 007322DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007322E8

Part of subcall function 0072E4EC: GetWindowRect.USER32(?,?), ref: 0072E504

GetDesktopWindow.USER32 ref: 00732312
GetWindowRect.USER32(00000000), ref: 00732319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00732355
GetCursorPos.USER32(?), ref: 00732381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007323DF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: f0729118a9f945d721de8068f603b6b7d4abff0a82bad06946c567e7979984f5
Instruction ID: 3512cc9cd91f7b65ca3f18a6f16afb53f7157a72405791a8fac526f1d8c58d90
Opcode Fuzzy Hash: f0729118a9f945d721de8068f603b6b7d4abff0a82bad06946c567e7979984f5
Instruction Fuzzy Hash: F3310172505315AFE721DF18C848F9BBBA9FF85310F00491AF98597182DB38EA09CB96

Function 00729B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00729B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00729C8B

Part of subcall function 00723874: GetInputState.USER32 ref: 007238CB
Part of subcall function 00723874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00723966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00729BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00729C75

Strings

*.*, xrefs: 00729B5D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 4c36812e2a580e50b27d9996341f3f6829c1fe2a31ab6f5aebe1af458d6bfc6b
Instruction ID: 9560332bfaa0a3b1687f1bdca25240bb0d0d3d8a321458d2573c22754e719f06
Opcode Fuzzy Hash: 4c36812e2a580e50b27d9996341f3f6829c1fe2a31ab6f5aebe1af458d6bfc6b
Instruction Fuzzy Hash: 9A41A3B190021AAFDF55DF74D885AEEBBF9FF05310F24405AE905A2191EB349E84CF64

Function 006C997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 006C9A4E
GetSysColor.USER32(0000000F), ref: 006C9B23
SetBkColor.GDI32(?,00000000), ref: 006C9B36

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4146038bdee27e078b8d849a9f1390a20632bfd1b1a585614324c8ed990c41c6
Instruction ID: da77c17d9d8db5212e1bd27eb4e179e50a3d68cfdd495407fd94b496ffb67b48
Opcode Fuzzy Hash: 4146038bdee27e078b8d849a9f1390a20632bfd1b1a585614324c8ed990c41c6
Instruction Fuzzy Hash: C5A10871608444FEE729AA6C8C9DFBB369EEB42350F25420DF502D67D1CA2DAD02D376

Function 00731806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0073304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0073307A
Part of subcall function 0073304E: _wcslen.LIBCMT ref: 0073309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0073185D
WSAGetLastError.WSOCK32 ref: 00731884
bind.WSOCK32(00000000,?,00000010), ref: 007318DB
WSAGetLastError.WSOCK32 ref: 007318E6
closesocket.WSOCK32(00000000), ref: 00731915

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: b142601d7d22f7d176f2b10fd44888fa7b49adbcc2a9b23d683e02f79747cb42
Instruction ID: 83703a0b476061a0d8a18b7e44168eb43f83d7be9d75713e4548b14d6a951222
Opcode Fuzzy Hash: b142601d7d22f7d176f2b10fd44888fa7b49adbcc2a9b23d683e02f79747cb42
Instruction Fuzzy Hash: 355192B5A002109FEB50AF24C886F6A77EAAB45718F48809CF9055F293C775AD418BA5

Function 00741C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00741CC0
IsWindowEnabled.USER32 ref: 00741CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00741CDB
IsIconic.USER32 ref: 00741CE9
IsZoomed.USER32 ref: 00741CF7

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: ea4376de755b4f4c303cf7ca1d0cecadc246a1276e44dc9f7318839a76d11581
Instruction ID: 84fa416ba25abf5f5708850cbac145ae4e6379f27782d77c8f365eb1a3adb931
Opcode Fuzzy Hash: ea4376de755b4f4c303cf7ca1d0cecadc246a1276e44dc9f7318839a76d11581
Instruction Fuzzy Hash: EE21F6317412009FD3219F1ACC84B6A7BE5EF85324B59C059E8458B352C779DC82CBA4

Function 006B8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 006B813C
VUUU, xrefs: 006B83FA
VUUU, xrefs: 006F5DF0
VUUU, xrefs: 006B83E8
VUUU, xrefs: 006B843C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 383e8c9a6dd23d6c182c27a8ad3f6c30dbdeacadd20118a0392763ff88c168fc
Instruction ID: 07eb6125633e5bc8f4a421cc444528d053cec77f622fd03ab0c4f8cdaa371118
Opcode Fuzzy Hash: 383e8c9a6dd23d6c182c27a8ad3f6c30dbdeacadd20118a0392763ff88c168fc
Instruction Fuzzy Hash: 28A25DB1A0021ACFDF24CF58C9507FDB7B6BB54314F2481A9EA16A7345EB709D81CB90

Function 00718298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007182AA

Strings

|, xrefs: 007182DA
tbw, xrefs: 007184F4
(, xrefs: 007182F0

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbw$|
API String ID: 1659193697-2577085510
Opcode ID: 9ec93136be41dd95fbab92933d480f4731907712f257cb346419afd2831f5096
Instruction ID: 9f5b3f96136263a7e17a55a47bca1ddb61e10e8c4d4b11df687c532bc26dc27c
Opcode Fuzzy Hash: 9ec93136be41dd95fbab92933d480f4731907712f257cb346419afd2831f5096
Instruction Fuzzy Hash: 00323774A006059FCB68CF59C081AAAB7F1FF48710B15C56EE49ADB3A1EB74E981CB44

Function 0071AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0071AAAC
SetKeyboardState.USER32(00000080), ref: 0071AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0071AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0071AB88

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3829b83ca7c53ffd7df9c51ac072b7cd668ba07d6f196a03047143c45cf54240
Instruction ID: 2ab23c2a36e7588c87a942f69a5edefbd7b8504aa9a7092cb0f141641370f8bb
Opcode Fuzzy Hash: 3829b83ca7c53ffd7df9c51ac072b7cd668ba07d6f196a03047143c45cf54240
Instruction Fuzzy Hash: 643128B0A46288BEFF31CA6CCC05BFA7BA6AF45310F04821AF181521D1D37D89C5C762

Function 0072CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0072CE89
GetLastError.KERNEL32(?,00000000), ref: 0072CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0072CEFE

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a542eeb30abede9f76b4e9d38ffd7c02dee7bc9a2f83fc2ce7a80fbd463b2ef2
Instruction ID: 1b90444fd89b2a7eefbc99ddb228762eccd00eb30cfee8ef02fe6e1e40732076
Opcode Fuzzy Hash: a542eeb30abede9f76b4e9d38ffd7c02dee7bc9a2f83fc2ce7a80fbd463b2ef2
Instruction Fuzzy Hash: E821CFB29007159BEB22DFA5E948BAB77FCEB20358F10841EE546D2151E778EE048B54

Function 00725C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00725CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00725D17
FindClose.KERNEL32(?), ref: 00725D5F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 96a73feb7a67fd5c75ec9299171dbad7eb14966bb31d8877234d9e023f00eb60
Instruction ID: edbf627bcbed2807f3aefd32075d32dd5b35fee114c844fa55affd96c9346234
Opcode Fuzzy Hash: 96a73feb7a67fd5c75ec9299171dbad7eb14966bb31d8877234d9e023f00eb60
Instruction Fuzzy Hash: B2519774604A019FC714CF28D4D4A9AB7E4FF4A324F14855EE99A8B3A2DB34ED44CFA1

Function 006E2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 006E271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 006E2724
UnhandledExceptionFilter.KERNEL32(?), ref: 006E2731

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 9f7ad0d01c2f920be7cc6f39f1122b61a6a6f0a21db6854dcff36d8f45aaf927
Instruction ID: 814eeb4c94997fd0f57918bc82f8690ebf07c567df5ecb39f9cedf70fd9899d9
Opcode Fuzzy Hash: 9f7ad0d01c2f920be7cc6f39f1122b61a6a6f0a21db6854dcff36d8f45aaf927
Instruction Fuzzy Hash: A031C4749013199BCB61DF65DC887DCBBB9AF08310F5041EAE40CA6261E7749F818F49

Function 007251CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007251DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00725238
SetErrorMode.KERNEL32(00000000), ref: 007252A1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 4bf3da67e0d95360b52ff135b0e7a9eab23ab398fc7630795cf483f157d27e0b
Instruction ID: 81fd925617397a3503cc495a9bffdb567d7efd0f4cd994ee59c74cad506821ca
Opcode Fuzzy Hash: 4bf3da67e0d95360b52ff135b0e7a9eab23ab398fc7630795cf483f157d27e0b
Instruction Fuzzy Hash: B0317CB5A00518DFDB00DF54D884EADBBF5FF49314F188099E805AB3A2DB35E945CBA0

Function 007116C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 006CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006D0668
Part of subcall function 006CFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 006D0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0071170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0071173A
GetLastError.KERNEL32 ref: 0071174A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: fce2d10c2ad470b2d3203399a74632d2fa9884e12b12d39b7f687afaa76d4ee1
Instruction ID: 8126d4bae5b14fa72077205c6565cb0725793453e3e30da7f2fc82f77e3e2434
Opcode Fuzzy Hash: fce2d10c2ad470b2d3203399a74632d2fa9884e12b12d39b7f687afaa76d4ee1
Instruction Fuzzy Hash: 2F11CEB2400304AFD718AF58DC86EAAB7BAEF04714B20852EE05657291EB74BC818B24

Function 0071D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0071D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0071D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0071D650

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 179e3d1d6ed3a1c199a0ea4427b552ab91d826cb947ff6e0bd82a3d14cd3be42
Instruction ID: 09e43db6da9390cf8b06da3fb949c57a9fb9d147b24c0df9637f95c9768a2a51
Opcode Fuzzy Hash: 179e3d1d6ed3a1c199a0ea4427b552ab91d826cb947ff6e0bd82a3d14cd3be42
Instruction Fuzzy Hash: 98117C75E01228BBDB208F989C44FAFBBBCEB45B50F108112F904E7290C2B45A018BA1

Function 00711663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0071168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007116A1
FreeSid.ADVAPI32(?), ref: 007116B1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: e1b044efc2f3941e61e4d68a6a0e3ff3c966b4256fc077f30f02cb3b7521457a
Instruction ID: 8596e7d97d324cc649b0c4b2376c310764446c292afb98b7908e24dfdcba5098
Opcode Fuzzy Hash: e1b044efc2f3941e61e4d68a6a0e3ff3c966b4256fc077f30f02cb3b7521457a
Instruction Fuzzy Hash: DBF04475A41308FBDB00CFE48C89AAEBBBCEB08200F408861E600E2190E738AA448A54

Function 006EC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 006EC36C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: aadc8548a3680bea414cccff8be12169627eda3fd4b840119bc08e85fc1fcbf0
Instruction ID: e197a9859fc8e25106c9167c9831a504f827e8d6732991b15490a8e24053c858
Opcode Fuzzy Hash: aadc8548a3680bea414cccff8be12169627eda3fd4b840119bc08e85fc1fcbf0
Instruction Fuzzy Hash: 35413A72501359AFCB209FBACC48DFB77BAEB84324F10416DF915D7280E6309E428B54

Function 0070D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0070D28C

Strings

X64, xrefs: 0070D2A8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 06ab71ac291041bb28a004203b7ad4ff54b4e22724839a334e9a9708f2e80cff
Instruction ID: 47568380fd5f95a1e4c348a7bd5d588b3b5f9c5fe3d98f3b9f11f7d7bf834bbf
Opcode Fuzzy Hash: 06ab71ac291041bb28a004203b7ad4ff54b4e22724839a334e9a9708f2e80cff
Instruction Fuzzy Hash: B0D0C9B480211DEBCB90CB90DC88DE9B3BCBB04315F104256F106A2040D73495498F10

Function 006DCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: ba6482a0914f35a72385902a6590db340da1e063692a6cb04c091aafe7746777
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: E302FC71E0111A9BDF14CFA9C9806EDFBF2EF48324F25426AD919EB384D731A941CB94

Function 006BCAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00700C40
p#x, xrefs: 006BCF7F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#x
API String ID: 0-252530211
Opcode ID: 9d140af9418e55c6dca03467c233a0165510c75584f0da4ddf3d881a266ffb19
Instruction ID: 8d7ba9665ed8d291f732b857ce0b26de4b416fc055e884dac1fc0972c2b39dbf
Opcode Fuzzy Hash: 9d140af9418e55c6dca03467c233a0165510c75584f0da4ddf3d881a266ffb19
Instruction Fuzzy Hash: 52329EB4900218DBDF14DF94C895BFDB7B6FF04324F148169E806AB292D775AE86CB60

Function 007268EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00726918
FindClose.KERNEL32(00000000), ref: 00726961

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5ba35c412cd66e0fe2d8ae41f19ac93a61c97a7e0a74a7ffa6aad939444114c9
Instruction ID: 8a6fcaf71db056d09f3f3abbee5607891cbf03eafadee08bf6c4cc3a89d6a96c
Opcode Fuzzy Hash: 5ba35c412cd66e0fe2d8ae41f19ac93a61c97a7e0a74a7ffa6aad939444114c9
Instruction Fuzzy Hash: B811D0756042109FD710CF29D484A26BBE5FF85328F04C69EF4A98F2A2CB74EC45CB90

Function 007237B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00734891,?,?,00000035,?), ref: 007237E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00734891,?,?,00000035,?), ref: 007237F4

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2eaf3bb2cc03cb0ec3930e69b012e92e8029b5c0e737278afb2602a955c4105b
Instruction ID: 7f8989cde01dab1a10df54ff8cccbf799727805d3d1c9f7506ce3dc71ae012e5
Opcode Fuzzy Hash: 2eaf3bb2cc03cb0ec3930e69b012e92e8029b5c0e737278afb2602a955c4105b
Instruction Fuzzy Hash: 0DF05CB06012282BDB5017655C4CFEB3AAEEFC5760F000225F104D2280C6744900C7B0

Function 0071B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0071B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0071B270

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 1b8cde4e4d722622d732fdf5f7b6e46cf3e06e8f3580440404906b4c647ecfac
Instruction ID: b55a1d11527a5298004b0e96d856fcc30cda95f938a956eb09b81387ba9da2d6
Opcode Fuzzy Hash: 1b8cde4e4d722622d732fdf5f7b6e46cf3e06e8f3580440404906b4c647ecfac
Instruction Fuzzy Hash: B6F06D7480424DABDB068FA4C805BEE7BB4FF08305F00800AF951A5191C37D82159F94

Function 007110BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007111FC), ref: 007110D4
CloseHandle.KERNEL32(?,?,007111FC), ref: 007110E9

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 388a3831f7552c11dc4452afd2df60b75856501921a3a794e9edf4e247b899f3
Instruction ID: 6b49432ce1987a4e9fe685517c981c6cecaee956c2d9dffd9d04742db601ae85
Opcode Fuzzy Hash: 388a3831f7552c11dc4452afd2df60b75856501921a3a794e9edf4e247b899f3
Instruction Fuzzy Hash: 31E04F32005610AFE7662B11FC05F7377AAEF04310B10C82EF5A6804B1DB62AC90DB14

Function 006E676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,006E6766,?,?,00000008,?,?,006EFEFE,00000000), ref: 006E6998

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3562a59dda73877933fff75c3a1b82e1aadcc9b3552ee9a343915c9e047ae197
Instruction ID: 23433e5bf26c943e6f9fdec255de8da193e14d04efd7db2f21fa539901c302dc
Opcode Fuzzy Hash: 3562a59dda73877933fff75c3a1b82e1aadcc9b3552ee9a343915c9e047ae197
Instruction Fuzzy Hash: C2B16D316117498FD715CF29C486BA57BE1FF153A4F258658F89ACF2A2C335E982CB40

Function 006CB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0070851F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 950547d4cb66c071a4366d4b86dc0cb24eff1ff11339d28bc92b56810ebf4a61
Instruction ID: 06c90ddea6b681634d660b308a643aff90cd66a05308624740f6063c8821965b
Opcode Fuzzy Hash: 950547d4cb66c071a4366d4b86dc0cb24eff1ff11339d28bc92b56810ebf4a61
Instruction Fuzzy Hash: 25124E71900229DBCB54CF58C881BFEB7F5FF48710F14819AE849EB295EB749A81CB91

Function 0072EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0072EABD

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 4374ae5dac79cd325a9861de477388d3c11b23943be615822834a18791104d7c
Instruction ID: 3fb72e1547a58076f3ccf8394803368b1c8caacbdbe9702918bfc0580804a6ee
Opcode Fuzzy Hash: 4374ae5dac79cd325a9861de477388d3c11b23943be615822834a18791104d7c
Instruction Fuzzy Hash: 89E01A762002149FC750EF59E804EAAB7EDAFA9760F00C41AFC4AC7251DBB4A8808B95

Function 006D09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006D03EE), ref: 006D09DA

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 887f4d0f06f38624a7fe2b039af4bcc6a53d4f5330839db18252e19a44f76344
Instruction ID: 0d16efc7c614580e29db49751e31d28518345223cea0a022faf3edb7c8877bc5
Opcode Fuzzy Hash: 887f4d0f06f38624a7fe2b039af4bcc6a53d4f5330839db18252e19a44f76344
Instruction Fuzzy Hash:

Function 006D781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 006D798B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 5bd0282c0598b3d0ff134718be5c4679c4c0f4729af602ab0698511c8814276b
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 58515972E0C6455BDB384568886E7FE63979B52300F18052FD886DB382FA15DE02F39B

Function 00722046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&x, xrefs: 00722053

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: 0&x
API String ID: 0-1177175720
Opcode ID: fd69e077845bf8272543042dddd656c960545d16f9e99e01dbf392e52bab06f7
Instruction ID: 4e70a03326538e067ea49febe163b988351a705dffe92302a4dc4c67e3292d57
Opcode Fuzzy Hash: fd69e077845bf8272543042dddd656c960545d16f9e99e01dbf392e52bab06f7
Instruction Fuzzy Hash: 5221A5327606118BD728CE79C82267A73E5A754310F25862EE4A7C77D1DE3AE905CB84

Function 006E6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67cebecee14de111356e3f8825aaec3340137b09036ad37240fc7e215a33b76
Instruction ID: a3cf9fb5aeb16e12d853599f4b5192383d4685a4234c658d2077b6e3edf011be
Opcode Fuzzy Hash: c67cebecee14de111356e3f8825aaec3340137b09036ad37240fc7e215a33b76
Instruction Fuzzy Hash: A4325921D2AF814DD7239635DC22375629AAFB73C6F14C737F81AB5AA6EF69C4834100

Function 006CCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a9c4290a8394d58c448e3f191ff58c666129456894572eee9cf1b3c25a005f
Instruction ID: a389bff8edf732eb74ee711e36a6800dca433864c9cd238cd9f2643cb488af38
Opcode Fuzzy Hash: c7a9c4290a8394d58c448e3f191ff58c666129456894572eee9cf1b3c25a005f
Instruction Fuzzy Hash: 90321471A00105CBDF2ACB28C494BBD77E2EB45314F28836AE84ACB2D1E638DD81DB51

Function 006B7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00db679f2c400b6ac2506e2cfbb876b47041bf9d148bf1473629e901645d2f55
Instruction ID: ae9b3c983813cab4273af8846dd805736d2996d1d69e59b99bde8ed32cefb50b
Opcode Fuzzy Hash: 00db679f2c400b6ac2506e2cfbb876b47041bf9d148bf1473629e901645d2f55
Instruction Fuzzy Hash: 25228DB0A0460A9FDF14DF68C881AEEB7F7FF44300F244629E916A7291EB35AD51CB54

Function 006B91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86635b4220124ee6c17960650cf8691e627450b0df5d457bf9750bf32770d872
Instruction ID: e991f8463ecfe3f7fbad13a0d6204121fd62a938a56db0011e377cde42af1079
Opcode Fuzzy Hash: 86635b4220124ee6c17960650cf8691e627450b0df5d457bf9750bf32770d872
Instruction Fuzzy Hash: CA02A6B1E00209EBDB14DF54D981AFDBBB3FF44300F108169E9169B3A1EB35AA51CB95

Function 006E9EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb8389ed199f4aece0de8e35e89650dbefbb7c588be00f30e3c5abcceee866c6
Instruction ID: 5c4acb1612e4f5bb712df15e6574a9df37ab748028bee1ed5971372001caed85
Opcode Fuzzy Hash: eb8389ed199f4aece0de8e35e89650dbefbb7c588be00f30e3c5abcceee866c6
Instruction Fuzzy Hash: F3B1F020E2AF404DD72396398831336B65CAFBB6D6F91D71BFC2674D22EB2686834144

Function 006D1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 374a109f59d7465bd3d0abd7ef26b61add25a619e134f67c27c16c5c1577e2be
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: F2918772A080A35ADB29463A85344BDFFE35E933A131A079FD4F2CE3C5EE548955D620

Function 006D19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 87fe170d9fa0c98d70f40e8240ee757023b7733139f58a11d9bebd0ffc180823
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 14917372A090A35ADB2D427A857407DFFE25A933A131E079FD4F2CE3C1FD648655D620

Function 006D7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7efed43c4262cee8ec11c5d07872d39add11ec2e69aa28b7e4005193b4e044
Instruction ID: 5f60fd391f5177e8a7e76a2787eaa1f6309e7aaf75a1ee40fb94432f1524a904
Opcode Fuzzy Hash: 2c7efed43c4262cee8ec11c5d07872d39add11ec2e69aa28b7e4005193b4e044
Instruction Fuzzy Hash: 94615871E0874A5ADA749E288DA6BFE2397DF51704F18091FE842DB381F611AE42C35B

Function 006D7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366fd7891f21154c3d22fa8206417c0268cb3c7e1e5f4a51b8d6e4d874d52e6c
Instruction ID: f9a8536908eea3b2d87c6a3c486563ed91d98344d992e2da2d6b1f5ffaa8aa69
Opcode Fuzzy Hash: 366fd7891f21154c3d22fa8206417c0268cb3c7e1e5f4a51b8d6e4d874d52e6c
Instruction Fuzzy Hash: 88614971E0870956DE385A289856BFF6397DF42704F14095FE943DB381FA12ED42825B

Function 006D1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e279c83ea72d026b18385573a8381f6e4b189b710267c5f53ffb6e03f7ed2d75
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 1E816672E090A31ADB6D8279853447EFFE35A933A131A079FD4F2CE3D1EE648554E620

Function 00732ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00732B30
DeleteObject.GDI32(00000000), ref: 00732B43
DestroyWindow.USER32 ref: 00732B52
GetDesktopWindow.USER32 ref: 00732B6D
GetWindowRect.USER32(00000000), ref: 00732B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00732CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00732CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732CF8
GetClientRect.USER32(00000000,?), ref: 00732D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00732D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732D80
GlobalLock.KERNEL32(00000000), ref: 00732D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732D98
GlobalUnlock.KERNEL32(00000000), ref: 00732DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732DA8
GlobalFree.KERNEL32(00000000), ref: 00732DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0074FC38,00000000), ref: 00732DDB
GlobalFree.KERNEL32(00000000), ref: 00732DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00732E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00732E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00732E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0073303F

Strings

DISPLAY, xrefs: 00732EA2
, xrefs: 00732FC5
static, xrefs: 00732D3A, 00732E91
AutoIt v3, xrefs: 00732CF2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0b598e94cbc3b9a268786e39ff4a040f912d8569a60ee7de39987b9893db53d6
Instruction ID: fe0129f05b89d1d2a1db663fe24986f8b8f689339a44bb3381aec6e53c7d7668
Opcode Fuzzy Hash: 0b598e94cbc3b9a268786e39ff4a040f912d8569a60ee7de39987b9893db53d6
Instruction Fuzzy Hash: AB029EB5500214EFDB15DF64CC89EAE7BB9FF49310F108119F915AB2A2DB78AD01CB64

Function 007470D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0074712F
GetSysColorBrush.USER32(0000000F), ref: 00747160
GetSysColor.USER32(0000000F), ref: 0074716C
SetBkColor.GDI32(?,000000FF), ref: 00747186
SelectObject.GDI32(?,?), ref: 00747195
InflateRect.USER32(?,000000FF,000000FF), ref: 007471C0
GetSysColor.USER32(00000010), ref: 007471C8
CreateSolidBrush.GDI32(00000000), ref: 007471CF
FrameRect.USER32(?,?,00000000), ref: 007471DE
DeleteObject.GDI32(00000000), ref: 007471E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00747230
FillRect.USER32(?,?,?), ref: 00747262
GetWindowLongW.USER32(?,000000F0), ref: 00747284

Part of subcall function 007473E8: GetSysColor.USER32(00000012), ref: 00747421
Part of subcall function 007473E8: SetTextColor.GDI32(?,?), ref: 00747425
Part of subcall function 007473E8: GetSysColorBrush.USER32(0000000F), ref: 0074743B
Part of subcall function 007473E8: GetSysColor.USER32(0000000F), ref: 00747446
Part of subcall function 007473E8: GetSysColor.USER32(00000011), ref: 00747463
Part of subcall function 007473E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00747471
Part of subcall function 007473E8: SelectObject.GDI32(?,00000000), ref: 00747482
Part of subcall function 007473E8: SetBkColor.GDI32(?,00000000), ref: 0074748B
Part of subcall function 007473E8: SelectObject.GDI32(?,?), ref: 00747498
Part of subcall function 007473E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007474B7
Part of subcall function 007473E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007474CE
Part of subcall function 007473E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007474DB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 5344c63e0081efce8cc8b28b0e918b5d26c69be9cc4449a98a443fdaba0ece74
Instruction ID: 57ccd7d2fc992440ea5d36bb209d1ba2ac751739dd93f272d21252d646723fb5
Opcode Fuzzy Hash: 5344c63e0081efce8cc8b28b0e918b5d26c69be9cc4449a98a443fdaba0ece74
Instruction Fuzzy Hash: D6A1C076009301FFD7569F60DC48E6BBBB9FB8A320F104A1AF962961E1D778E800CB55

Function 006C8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 006C8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00706AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00706AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00706F43

Part of subcall function 006C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006C8BE8,?,00000000,?,?,?,?,006C8BBA,00000000,?), ref: 006C8FC5

SendMessageW.USER32(?,00001053), ref: 00706F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00706F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00706FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00706FB7

Strings

0, xrefs: 00706DCF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: a3befec17d606097f88b2a6d635c7716eec795b60c3d883a62fe87c0dbd2f3a3
Instruction ID: 13da66988524c8efefc5826f426178d1ede5f892aacf9eb2e5f131659c61d45f
Opcode Fuzzy Hash: a3befec17d606097f88b2a6d635c7716eec795b60c3d883a62fe87c0dbd2f3a3
Instruction Fuzzy Hash: 0112AE74201201DFDB25CF24C864BBAB7E6FB49300F64866DE595CB2A1CB39EC62CB55

Function 00732711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0073273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0073286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007328A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007328B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00732900
GetClientRect.USER32(00000000,?), ref: 0073290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00732955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00732964
GetStockObject.GDI32(00000011), ref: 00732974
SelectObject.GDI32(00000000,00000000), ref: 00732978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00732988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00732991
DeleteDC.GDI32(00000000), ref: 0073299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007329C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007329DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00732A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00732A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00732A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00732A77
GetStockObject.GDI32(00000011), ref: 00732A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00732A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00732A97

Strings

DISPLAY, xrefs: 0073295A
msctls_progress32, xrefs: 00732A13
static, xrefs: 0073294F, 00732A71
AutoIt v3, xrefs: 007328F8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 9fe4ca6f7733921fa97fabbc5162b3484778d9fe7be8e42701f0e3605ac66b8b
Instruction ID: 1a97816b6bf96f513694ba03f9a35408f9a2d3dd5f186288d4bdd24a37aa1156
Opcode Fuzzy Hash: 9fe4ca6f7733921fa97fabbc5162b3484778d9fe7be8e42701f0e3605ac66b8b
Instruction Fuzzy Hash: 17B19FB5A40215AFEB10CF68CC49FAE7BA9FB05710F108515FA14E7291D778ED41CBA8

Function 00724ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00724AED
GetDriveTypeW.KERNEL32(?,0074CB68,?,\\.\,0074CC08), ref: 00724BCA
SetErrorMode.KERNEL32(00000000,0074CB68,?,\\.\,0074CC08), ref: 00724D36

Strings

iSCSI, xrefs: 00724CC2
SCSI, xrefs: 00724C8A
FileBackedVirtual, xrefs: 00724CEC
MMC, xrefs: 00724CDE
SAS, xrefs: 00724CC9
1394, xrefs: 00724C9F
Unknown, xrefs: 00724BED, 00724C83
ATA, xrefs: 00724C98
SSD, xrefs: 00724C4A
USB, xrefs: 00724CB4
PhysicalDrive, xrefs: 00724B76
RAMDisk, xrefs: 00724BF4
Network, xrefs: 00724C02
ATAPI, xrefs: 00724C91
Removable, xrefs: 00724C10, 00724C15
CDROM, xrefs: 00724BFB
Fixed, xrefs: 00724C09
RAID, xrefs: 00724CBB
SATA, xrefs: 00724CD0
SSA, xrefs: 00724CA6
Fibre, xrefs: 00724CAD
\\.\, xrefs: 00724B3F
Virtual, xrefs: 00724CE5

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 99c962346cae2fd4416825505e6e99d527da85e0d9ee952468a26cf4be54bbbd
Instruction ID: 8527ecaae412f3bee853044431c2336646bf9f9a4507313c47d8651a96d49623
Opcode Fuzzy Hash: 99c962346cae2fd4416825505e6e99d527da85e0d9ee952468a26cf4be54bbbd
Instruction Fuzzy Hash: 6661D3B0701615DBCF15DF28DA919B877F1EB04380B24841AF80AAB695DB3DEDC1DB61

Function 007473E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00747421
SetTextColor.GDI32(?,?), ref: 00747425
GetSysColorBrush.USER32(0000000F), ref: 0074743B
GetSysColor.USER32(0000000F), ref: 00747446
CreateSolidBrush.GDI32(?), ref: 0074744B
GetSysColor.USER32(00000011), ref: 00747463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00747471
SelectObject.GDI32(?,00000000), ref: 00747482
SetBkColor.GDI32(?,00000000), ref: 0074748B
SelectObject.GDI32(?,?), ref: 00747498
InflateRect.USER32(?,000000FF,000000FF), ref: 007474B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007474CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007474DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0074752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00747554
InflateRect.USER32(?,000000FD,000000FD), ref: 00747572
DrawFocusRect.USER32(?,?), ref: 0074757D
GetSysColor.USER32(00000011), ref: 0074758E
SetTextColor.GDI32(?,00000000), ref: 00747596
DrawTextW.USER32(?,007470F5,000000FF,?,00000000), ref: 007475A8
SelectObject.GDI32(?,?), ref: 007475BF
DeleteObject.GDI32(?), ref: 007475CA
SelectObject.GDI32(?,?), ref: 007475D0
DeleteObject.GDI32(?), ref: 007475D5
SetTextColor.GDI32(?,?), ref: 007475DB
SetBkColor.GDI32(?,?), ref: 007475E5

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 46f12b3be9b3dab364c3a56670570809865979c25c8637afda140f8973092f1c
Instruction ID: e0bba3766f3862103d3a66cb267ab6595fe4a35645fe4f23d66c6d4743bebde0
Opcode Fuzzy Hash: 46f12b3be9b3dab364c3a56670570809865979c25c8637afda140f8973092f1c
Instruction Fuzzy Hash: 24619F76901218AFDF059FA4DC49EEEBFB9EB09320F118116F911BB2A1D7789940CF90

Function 00740FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00741128
GetDesktopWindow.USER32 ref: 0074113D
GetWindowRect.USER32(00000000), ref: 00741144
GetWindowLongW.USER32(?,000000F0), ref: 00741199
DestroyWindow.USER32(?), ref: 007411B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007411ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0074120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0074121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00741232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00741245
IsWindowVisible.USER32(00000000), ref: 007412A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007412BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007412D0
GetWindowRect.USER32(00000000,?), ref: 007412E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0074130E
GetMonitorInfoW.USER32(00000000,?), ref: 00741328
CopyRect.USER32(?,?), ref: 0074133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007413AA

Strings

tooltips_class32, xrefs: 007411E6
(, xrefs: 0074131B
0, xrefs: 007410D3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 0998a256da21b74def0c21edab4ab9231af89d29cedbc6c27b03284f234ad4bd
Instruction ID: f488d50898e1ddd54288d5471e65cc42b8cfd55c0b63590034fdfcee00783b39
Opcode Fuzzy Hash: 0998a256da21b74def0c21edab4ab9231af89d29cedbc6c27b03284f234ad4bd
Instruction Fuzzy Hash: FCB1BC71604340AFD750EF24C884BABBBE5FF85300F40891DF9999B2A1C775E884CBA6

Function 00740241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007402E5
_wcslen.LIBCMT ref: 0074031F
_wcslen.LIBCMT ref: 00740389
_wcslen.LIBCMT ref: 007403F1
_wcslen.LIBCMT ref: 00740475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007404C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00740504

Part of subcall function 006CF9F2: _wcslen.LIBCMT ref: 006CF9FD

Part of subcall function 0071223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00712258
Part of subcall function 0071223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0071228A

Strings

SELECT, xrefs: 00740548
SELECTALL, xrefs: 00740515
ISSELECTED, xrefs: 007404DD
SELECTCLEAR, xrefs: 0074052D
GETSELECTED, xrefs: 007405E1
SELECTINVERT, xrefs: 0074057E
GETTEXT, xrefs: 007403EC, 00740407
GETSUBITEMCOUNT, xrefs: 00740384, 0074039F
GETITEMCOUNT, xrefs: 00740316, 00740337
VIEWCHANGE, xrefs: 00740675
DESELECT, xrefs: 0074059C
GETSELECTEDCOUNT, xrefs: 00740470, 0074048B
FINDITEM, xrefs: 00740627

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: fdd04ae05bb9b159a78048f6a57e2ddd2a4e51b7ce303e4b0bc70cb962bffecf
Instruction ID: b24c176dce81f657296511a428a37d856ac6e5cc85e9c5e1600b33f561b8169d
Opcode Fuzzy Hash: fdd04ae05bb9b159a78048f6a57e2ddd2a4e51b7ce303e4b0bc70cb962bffecf
Instruction Fuzzy Hash: C8E1C0712082008FCB54DF28C45097AB7E6FFC8354F14896CF9969B2A1DB38ED45CB92

Function 006C8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006C8968
GetSystemMetrics.USER32(00000007), ref: 006C8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006C899B
GetSystemMetrics.USER32(00000008), ref: 006C89A3
GetSystemMetrics.USER32(00000004), ref: 006C89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006C89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006C89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006C8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006C8A3C
GetClientRect.USER32(00000000,000000FF), ref: 006C8A5A
GetStockObject.GDI32(00000011), ref: 006C8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 006C8A81

Part of subcall function 006C912D: GetCursorPos.USER32(?), ref: 006C9141
Part of subcall function 006C912D: ScreenToClient.USER32(00000000,?), ref: 006C915E
Part of subcall function 006C912D: GetAsyncKeyState.USER32(00000001), ref: 006C9183
Part of subcall function 006C912D: GetAsyncKeyState.USER32(00000002), ref: 006C919D

SetTimer.USER32(00000000,00000000,00000028,006C90FC), ref: 006C8AA8

Strings

AutoIt v3 GUI, xrefs: 006C8A20

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ad910139318f6cfcf98f6867f8f077c15b3acc633dbc68c2f7f5d22c44989270
Instruction ID: 9810ccaa2cc4bed2eaa22f95f6260cc200d95cfac56f61576aeaca4ce14bec00
Opcode Fuzzy Hash: ad910139318f6cfcf98f6867f8f077c15b3acc633dbc68c2f7f5d22c44989270
Instruction Fuzzy Hash: 7BB1AF35640209DFDB14DF68CC55FAE7BB5FB48314F11822AFA05A72D0CB38A851CB58

Function 00710D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007110F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00711114
Part of subcall function 007110F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711120
Part of subcall function 007110F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 0071112F
Part of subcall function 007110F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711136
Part of subcall function 007110F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0071114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00710DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00710E29
GetLengthSid.ADVAPI32(?), ref: 00710E40
GetAce.ADVAPI32(?,00000000,?), ref: 00710E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00710E96
GetLengthSid.ADVAPI32(?), ref: 00710EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00710EB5
HeapAlloc.KERNEL32(00000000), ref: 00710EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00710EDD
CopySid.ADVAPI32(00000000), ref: 00710EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00710F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00710F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00710F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710F6E
HeapFree.KERNEL32(00000000), ref: 00710F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710F7E
HeapFree.KERNEL32(00000000), ref: 00710F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00710F8E
HeapFree.KERNEL32(00000000), ref: 00710F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00710FA1
HeapFree.KERNEL32(00000000), ref: 00710FA8

Part of subcall function 00711193: GetProcessHeap.KERNEL32(00000008,00710BB1,?,00000000,?,00710BB1,?), ref: 007111A1
Part of subcall function 00711193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00710BB1,?), ref: 007111A8
Part of subcall function 00711193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00710BB1,?), ref: 007111B7

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: db2b04224bb45e9c2653ba82e28d21690379f593e1f58027877b62028eeb2eb5
Instruction ID: 5d4457f7ceea0e105241b0566135e445e5a98c78bcd338ac929411a784e3ae7d
Opcode Fuzzy Hash: db2b04224bb45e9c2653ba82e28d21690379f593e1f58027877b62028eeb2eb5
Instruction Fuzzy Hash: 9F718F7190120AEBDF219FA9DC49FEEBBBCBF05300F048115F919A6191D7799A85CBA0

Function 0073C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0074CC08,00000000,?,00000000,?,?), ref: 0073C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0073C5A4
_wcslen.LIBCMT ref: 0073C5F4
_wcslen.LIBCMT ref: 0073C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0073C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0073C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0073C84D
RegCloseKey.ADVAPI32(?), ref: 0073C881
RegCloseKey.ADVAPI32(00000000), ref: 0073C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0073C960

Strings

REG_SZ, xrefs: 0073C644
REG_QWORD, xrefs: 0073C8C3
REG_DWORD, xrefs: 0073C804
REG_MULTI_SZ, xrefs: 0073C6F5
REG_EXPAND_SZ, xrefs: 0073C5CD
REG_BINARY, xrefs: 0073C913

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: bef3284d79aa7de0f14420fca45eb6cf15272a9c4f1a814395190307f92f0243
Instruction ID: 5f58e9a8717e73bd41d8c3009461d61a5b0b69ad54da085a47019a1c5f92b20d
Opcode Fuzzy Hash: bef3284d79aa7de0f14420fca45eb6cf15272a9c4f1a814395190307f92f0243
Instruction Fuzzy Hash: 2D12AC756042009FD755DF14C881A6AB7E6FF88314F04889DF88AAB3A2DB35FD41CB85

Function 0074091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007409C6
_wcslen.LIBCMT ref: 00740A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00740A54
_wcslen.LIBCMT ref: 00740A8A
_wcslen.LIBCMT ref: 00740B06
_wcslen.LIBCMT ref: 00740B81

Part of subcall function 006CF9F2: _wcslen.LIBCMT ref: 006CF9FD

Part of subcall function 00712BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00712BFA

Strings

SELECT, xrefs: 00740D11
GETTEXT, xrefs: 00740C97
COLLAPSE, xrefs: 00740B01, 00740B1C
GETTOTALCOUNT, xrefs: 007409F2, 00740A17
EXPAND, xrefs: 00740BF8
UNCHECK, xrefs: 00740D3E
CHECK, xrefs: 00740A85, 00740AA0
GETSELECTED, xrefs: 00740C4E
EXISTS, xrefs: 00740B7C, 00740B97
GETITEMCOUNT, xrefs: 00740C1E
ISCHECKED, xrefs: 00740CE1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 15c154a84d77cbca4c15d43641bb6a4cc22743e18752e355338afd5a84846b59
Instruction ID: ad4ed2b59e4e6678cc372c2ff8ee604b44027471f79d629534606cb1d480637a
Opcode Fuzzy Hash: 15c154a84d77cbca4c15d43641bb6a4cc22743e18752e355338afd5a84846b59
Instruction Fuzzy Hash: 05E1BB712083018FCB54DF24C45096AB7E2FF88354B14895DF99A9B3A2DB38ED86CBD5

Function 0073C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
_wcslen.LIBCMT ref: 0073C9F1
_wcslen.LIBCMT ref: 0073CA68
_wcslen.LIBCMT ref: 0073CA9E
_wcslen.LIBCMT ref: 0073CAF9
_wcslen.LIBCMT ref: 0073CB2F
_wcslen.LIBCMT ref: 0073CB7F

Strings

HKLM, xrefs: 0073CA98, 0073CA9D
HKU, xrefs: 0073CBF0
HKCU, xrefs: 0073CBCE
HKEY_CURRENT_USER, xrefs: 0073CBBD
HKEY_LOCAL_MACHINE, xrefs: 0073CA62, 0073CA67
HKEY_CLASSES_ROOT, xrefs: 0073CAF3, 0073CAF8
HKCC, xrefs: 0073CBAC
HKEY_CURRENT_CONFIG, xrefs: 0073CB79, 0073CB7E
HKCR, xrefs: 0073CB29, 0073CB2E
HKEY_USERS, xrefs: 0073CBDF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 4aac105c500ee317cfbeef7aeee2fb73681666576e7e9e14a13e76034ca37f32
Instruction ID: b2108e9a440f69e02ef9b47c96763ad15a6d810c9fe38e0f38d68fef81e4804d
Opcode Fuzzy Hash: 4aac105c500ee317cfbeef7aeee2fb73681666576e7e9e14a13e76034ca37f32
Instruction Fuzzy Hash: 3F71077360012A8BEF12DF7CCD515BA3392AF60790F258529F855BB286EA3DCD45C3A0

Function 0074833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0074835A
_wcslen.LIBCMT ref: 0074836E
_wcslen.LIBCMT ref: 00748391
_wcslen.LIBCMT ref: 007483B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007483F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00745BF2), ref: 0074844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00748487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007484CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00748501
FreeLibrary.KERNEL32(?), ref: 0074850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0074851D
DestroyIcon.USER32(?,?,?,?,?,00745BF2), ref: 0074852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00748549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00748555

Strings

.dll, xrefs: 007483AB
.exe, xrefs: 00748388
.icl, xrefs: 00748368

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5085cedaa080fae1a01675227ef36b040f46b49e51fd4bd96fed6090e8dc6e4d
Instruction ID: e16350ae5234a7553a3cfe0c29fa19f3b4bc666013715e4f963f87cf6df9b560
Opcode Fuzzy Hash: 5085cedaa080fae1a01675227ef36b040f46b49e51fd4bd96fed6090e8dc6e4d
Instruction Fuzzy Hash: D861F271900219BBEB54CF64CC81BBE77A8BF04720F10850AF915DA1D1DFB8AE90CBA0

Function 006B7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#pragma compile, xrefs: 006B77D3
#cs, xrefs: 006B7873, 006B78C5
Unterminated group of comments, xrefs: 006F528C
', xrefs: 006F5169
Bad directive syntax error, xrefs: 006F519A
Cannot parse #include, xrefs: 006F5279
#comments-start, xrefs: 006B785F, 006B78B1
#include-once, xrefs: 006B782F
#comments-end, xrefs: 006B78D9
#notrayicon, xrefs: 006B77E7
#ce, xrefs: 006B78ED
#include, xrefs: 006B7847
", xrefs: 006F5153
#requireadmin, xrefs: 006B77FF
#OnAutoItStartRegister, xrefs: 006B7817

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 1d6b0121e801eb6d42b7e7267a9abf23ce9174f137613c2bebe046c4f0855c60
Instruction ID: b464907d9266e9b47e8e59486845c9186a4451e6dd75fe392c039111401706a0
Opcode Fuzzy Hash: 1d6b0121e801eb6d42b7e7267a9abf23ce9174f137613c2bebe046c4f0855c60
Instruction Fuzzy Hash: 7781E7B1A04605BBDB20AF60CC46FFE37A7AF55300F044029FA05AB296EF74D951D7A5

Function 00723E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00723EF8
_wcslen.LIBCMT ref: 00723F03
_wcslen.LIBCMT ref: 00723F5A
_wcslen.LIBCMT ref: 00723F98
GetDriveTypeW.KERNEL32(?), ref: 00723FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0072401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00724059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00724087

Strings

open , xrefs: 00723FE5
set cd door , xrefs: 00724028
close, xrefs: 00723EFE, 00723F18
close cd wait, xrefs: 00724072
closed, xrefs: 00723F08, 00723F2D, 00723F46, 00723F7E, 00723F97
open, xrefs: 00723F54, 00723F59
wait, xrefs: 00724044
type cdaudio alias cd wait, xrefs: 00724001

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: e69856cda345036c18c9b9f2f5c0a93b7ed897c9ed694d80db847cc8d5d1d813
Instruction ID: 73e0ab6e69ed3e165cf9d8a68088546cd4efcf9dd74288b8504b49f11898c15d
Opcode Fuzzy Hash: e69856cda345036c18c9b9f2f5c0a93b7ed897c9ed694d80db847cc8d5d1d813
Instruction Fuzzy Hash: 917102B26043219FC710EF24D8808ABB7F5EF94754F10892DF99597251EB38EE89CB91

Function 00715A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00715A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00715A40
SetWindowTextW.USER32(?,?), ref: 00715A57
GetDlgItem.USER32(?,000003EA), ref: 00715A6C
SetWindowTextW.USER32(00000000,?), ref: 00715A72
GetDlgItem.USER32(?,000003E9), ref: 00715A82
SetWindowTextW.USER32(00000000,?), ref: 00715A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00715AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00715AC3
GetWindowRect.USER32(?,?), ref: 00715ACC
_wcslen.LIBCMT ref: 00715B33
SetWindowTextW.USER32(?,?), ref: 00715B6F
GetDesktopWindow.USER32 ref: 00715B75
GetWindowRect.USER32(00000000), ref: 00715B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00715BD3
GetClientRect.USER32(?,?), ref: 00715BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00715C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00715C2F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 100c10456f26416f26b1227ad3f14bf89847c81f1fd94311cef865c09fd7e018
Instruction ID: b32ac43bcff129e1ce87f5d257a5490251fd4c0816fc65bf195a9fb7dc17a51d
Opcode Fuzzy Hash: 100c10456f26416f26b1227ad3f14bf89847c81f1fd94311cef865c09fd7e018
Instruction Fuzzy Hash: 31719F71900B09EFDB25DFA8CE85AAEBBF5FF88704F108519E142A25E0D779E940CB54

Function 0072FE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 0072FE27
LoadCursorW.USER32(00000000,00007F8A), ref: 0072FE32
LoadCursorW.USER32(00000000,00007F00), ref: 0072FE3D
LoadCursorW.USER32(00000000,00007F03), ref: 0072FE48
LoadCursorW.USER32(00000000,00007F8B), ref: 0072FE53
LoadCursorW.USER32(00000000,00007F01), ref: 0072FE5E
LoadCursorW.USER32(00000000,00007F81), ref: 0072FE69
LoadCursorW.USER32(00000000,00007F88), ref: 0072FE74
LoadCursorW.USER32(00000000,00007F80), ref: 0072FE7F
LoadCursorW.USER32(00000000,00007F86), ref: 0072FE8A
LoadCursorW.USER32(00000000,00007F83), ref: 0072FE95
LoadCursorW.USER32(00000000,00007F85), ref: 0072FEA0
LoadCursorW.USER32(00000000,00007F82), ref: 0072FEAB
LoadCursorW.USER32(00000000,00007F84), ref: 0072FEB6
LoadCursorW.USER32(00000000,00007F04), ref: 0072FEC1
LoadCursorW.USER32(00000000,00007F02), ref: 0072FECC
GetCursorInfo.USER32(?), ref: 0072FEDC
GetLastError.KERNEL32 ref: 0072FF1E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 37f319e66719eac2c1c5649dee89e971cc41e741aff30e9fb8d868cff959ae64
Instruction ID: 5d189dd9c46ecfbceedc6cc7840c546b769c5f17480faf959448022d978b37ee
Opcode Fuzzy Hash: 37f319e66719eac2c1c5649dee89e971cc41e741aff30e9fb8d868cff959ae64
Instruction Fuzzy Hash: 964140B0D053196ADB109FBA9C8986EBFF8FF04354B50853AF119E7281DB78A9018F91

Function 007130F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0071318D
_wcslen.LIBCMT ref: 007131F8

Strings

NAME, xrefs: 00713335, 00713346
CLASSNN, xrefs: 007131F3, 00713204
[w, xrefs: 0071339A
CLASS, xrefs: 00713188, 007131A5
INSTANCE, xrefs: 00713453
TEXT, xrefs: 0071347C
REGEXPCLASS, xrefs: 00713255, 00713266

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[w
API String ID: 176396367-778023905
Opcode ID: 83172e9e9fb767e7cda6386b2cc8e67fc0095618325d7da5228cb798d475d87f
Instruction ID: 2c0607b04ead8293926ae260145256ef93f6b099fc4e1dd3cd09ba607f7104c2
Opcode Fuzzy Hash: 83172e9e9fb767e7cda6386b2cc8e67fc0095618325d7da5228cb798d475d87f
Instruction Fuzzy Hash: 65E1E432A00516ABCF189FBCC451AFDBBB5BF44750F14812AE856B7280DB38AEC597D0

Function 006D00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006D00C6

Part of subcall function 006D00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0078070C,00000FA0,F273EB57,?,?,?,?,006F23B3,000000FF), ref: 006D011C
Part of subcall function 006D00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006F23B3,000000FF), ref: 006D0127
Part of subcall function 006D00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006F23B3,000000FF), ref: 006D0138
Part of subcall function 006D00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006D014E
Part of subcall function 006D00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006D015C
Part of subcall function 006D00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006D016A
Part of subcall function 006D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006D0195
Part of subcall function 006D00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006D01A0

___scrt_fastfail.LIBCMT ref: 006D00E7

Part of subcall function 006D00A3: __onexit.LIBCMT ref: 006D00A9

Strings

InitializeConditionVariable, xrefs: 006D0148
WakeAllConditionVariable, xrefs: 006D0162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 006D0122
kernel32.dll, xrefs: 006D0133
SleepConditionVariableCS, xrefs: 006D0154

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: f7465cf3241ccde131f75ab0d3aa86fed56844ca296a8868db7ca6a52224e89d
Instruction ID: 8705ce8aadf78f3cc340464df7befaa06bfbb2ccf95a82c90a9eee029bfea0c3
Opcode Fuzzy Hash: f7465cf3241ccde131f75ab0d3aa86fed56844ca296a8868db7ca6a52224e89d
Instruction Fuzzy Hash: 6121F6B2E457147BFB516BB4AC05F6A3396EB4AB51F10813FF801E2391DB7898008A98

Function 007244C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0074CC08), ref: 00724527
_wcslen.LIBCMT ref: 0072453B
_wcslen.LIBCMT ref: 00724599
_wcslen.LIBCMT ref: 007245F4
_wcslen.LIBCMT ref: 0072463F
_wcslen.LIBCMT ref: 007246A7

Part of subcall function 006CF9F2: _wcslen.LIBCMT ref: 006CF9FD

GetDriveTypeW.KERNEL32(?,00776BF0,00000061), ref: 00724743

Strings

ramdisk, xrefs: 007246F1
all, xrefs: 00724531, 00724536
fixed, xrefs: 00724635, 0072463A
removable, xrefs: 007245EA, 007245EF
cdrom, xrefs: 0072458F, 00724594
unknown, xrefs: 00724708
network, xrefs: 0072469D, 007246A2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: a2fb66de150f2c623e0062df3cc1674bacaace78daec70aabf28365f438bee20
Instruction ID: 3d57e41ceb2ef36307e49675541163ae24a761fedbc5ba72a9167b31dcaaa204
Opcode Fuzzy Hash: a2fb66de150f2c623e0062df3cc1674bacaace78daec70aabf28365f438bee20
Instruction Fuzzy Hash: F8B1F2716083229FC710DF28E890A7AB7E6FFA5760F50491DF496C7291D738D984CBA2

Function 0074911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

DragQueryPoint.SHELL32(?,?), ref: 00749147

Part of subcall function 00747674: ClientToScreen.USER32(?,?), ref: 0074769A
Part of subcall function 00747674: GetWindowRect.USER32(?,?), ref: 00747710
Part of subcall function 00747674: PtInRect.USER32(?,?,00748B89), ref: 00747720

SendMessageW.USER32(?,000000B0,?,?), ref: 007491B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007491BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007491DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00749225
SendMessageW.USER32(?,000000B0,?,?), ref: 0074923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00749255
SendMessageW.USER32(?,000000B1,?,?), ref: 00749277
DragFinish.SHELL32(?), ref: 0074927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00749371

Strings

@GUI_DRAGFILE, xrefs: 00749320
@GUI_DRAGID, xrefs: 007492E9
p#x, xrefs: 007492BB
@GUI_DROPID, xrefs: 0074929E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#x
API String ID: 221274066-781702483
Opcode ID: e53dddd28eb0e553673503a7fdce9512b12a40e7d101ccefe05c8337298b6865
Instruction ID: c78a19b6c0e23f33e3c3b0bfecfd0d08ae85909d1ca7b7e9ab086e381d181cd1
Opcode Fuzzy Hash: e53dddd28eb0e553673503a7fdce9512b12a40e7d101ccefe05c8337298b6865
Instruction Fuzzy Hash: 01619C71108300AFC701EF64CC85DAFBBE9EF89350F00496EF695921A1DB749A49CB66

Function 006B326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00781990), ref: 006F2F8D
GetMenuItemCount.USER32(00781990), ref: 006F303D
GetCursorPos.USER32(?), ref: 006F3081
SetForegroundWindow.USER32(00000000), ref: 006F308A
TrackPopupMenuEx.USER32(00781990,00000000,?,00000000,00000000,00000000), ref: 006F309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006F30A9

Strings

0, xrefs: 006B327D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: b48e75b087ee20a424971b0293bdd666bdfdb1e6a2264cd366694552a9fee347
Instruction ID: 15cc0e7ff651b66bbc5a9260e54c2a23b95ed325f58ed6b813c43ed622aa4b8c
Opcode Fuzzy Hash: b48e75b087ee20a424971b0293bdd666bdfdb1e6a2264cd366694552a9fee347
Instruction Fuzzy Hash: 60710B7064121ABEEB218F64CC59FEABF66FF05324F204216F6146A3D0C7B5AD50DB90

Function 00746CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00746DEB

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00746E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00746E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00746E94
DestroyWindow.USER32(?), ref: 00746EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,006B0000,00000000), ref: 00746EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00746EFD
GetDesktopWindow.USER32 ref: 00746F16
GetWindowRect.USER32(00000000), ref: 00746F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00746F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00746F4D

Part of subcall function 006C9944: GetWindowLongW.USER32(?,000000EB), ref: 006C9952

Strings

tooltips_class32, xrefs: 00746E58, 00746EDD
0, xrefs: 00746D98

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 86e856624650e5dce32d1e6c2155167c9836636bcb93f081814a7c3254f24ff2
Instruction ID: 9a96874c6427639d76949a8bd1306c1fd8acef8abd875f9ddfb653ce56ead51f
Opcode Fuzzy Hash: 86e856624650e5dce32d1e6c2155167c9836636bcb93f081814a7c3254f24ff2
Instruction Fuzzy Hash: 39716974144340AFDB21CF18D844EAABBE9FB8A304F55845EF99987261C778E90ACB16

Function 0072C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0072C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0072C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0072C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0072C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0072C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0072C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0072C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0072C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0072C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0072C5F0
InternetCloseHandle.WININET(00000000), ref: 0072C5FB

Strings

, xrefs: 0072C575

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 21b2622b6565d46a065d0c1a85270457ec83dcb6324f8b8361809db2856da97a
Instruction ID: 5118761cd6828361bc4ad130a04511f0114da661d889183bb21c3c9b15ddd374
Opcode Fuzzy Hash: 21b2622b6565d46a065d0c1a85270457ec83dcb6324f8b8361809db2856da97a
Instruction Fuzzy Hash: 5D517BB5500618BFEB239F61D988AAF7BFCFF19344F10841AF94596210DB78EA14DB60

Function 0074856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00748592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007485A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007485AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007485BA
GlobalLock.KERNEL32(00000000), ref: 007485C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007485D7
GlobalUnlock.KERNEL32(00000000), ref: 007485E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007485E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007485F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0074FC38,?), ref: 00748611
GlobalFree.KERNEL32(00000000), ref: 00748621
GetObjectW.GDI32(?,00000018,?), ref: 00748641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00748671
DeleteObject.GDI32(?), ref: 00748699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007486AF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 98e6e5482e415bf1af9c9109c95e0bc93c725d288211e8357c39a0a0c2a099a0
Instruction ID: 653f4859cfd7e247e7f269e12c6c2a7f7088cd39fe1b8b4e2ca1f641e461f991
Opcode Fuzzy Hash: 98e6e5482e415bf1af9c9109c95e0bc93c725d288211e8357c39a0a0c2a099a0
Instruction Fuzzy Hash: 06413C75601208AFDB519FA5CC48EAE7BB8FF8A711F118059F905E7260DB789D01CB25

Function 007214BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00721502
VariantCopy.OLEAUT32(?,?), ref: 0072150B
VariantClear.OLEAUT32(?), ref: 00721517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007215FB
VarR8FromDec.OLEAUT32(?,?), ref: 00721657
VariantInit.OLEAUT32(?), ref: 00721708
SysFreeString.OLEAUT32(?), ref: 0072178C
VariantClear.OLEAUT32(?), ref: 007217D8
VariantClear.OLEAUT32(?), ref: 007217E7
VariantInit.OLEAUT32(00000000), ref: 00721823

Strings

Default, xrefs: 007216AF
%4d%02d%02d%02d%02d%02d, xrefs: 00721625

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: acd05311cccdb83aed8b5082abf70b4bded85706b0a19c2cb00e18a01e816dd9
Instruction ID: 9de59d811457d118545713129b4b6ff0b0cc425ca6eefaf6a9899c6fb21ef34e
Opcode Fuzzy Hash: acd05311cccdb83aed8b5082abf70b4bded85706b0a19c2cb00e18a01e816dd9
Instruction Fuzzy Hash: 67D12471A00225DBDB009F66E885BBDB7B6FF55700F90809AF406AB280DB38ED51DB61

Function 0073B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 0073C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073C9F1
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA68
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0073B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0073B80A
RegCloseKey.ADVAPI32(?), ref: 0073B87E
RegCloseKey.ADVAPI32(?), ref: 0073B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0073B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0073B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0073B922
FreeLibrary.KERNEL32(00000000), ref: 0073B983
RegCloseKey.ADVAPI32(00000000), ref: 0073B994

Strings

RegDeleteKeyExW, xrefs: 0073B8FE
advapi32.dll, xrefs: 0073B8ED

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: dc189d85639479062f122a8228c85850626daf0971b7e789f912ddfe75d0518f
Instruction ID: 6370c8c59afad4624d85723d3d38510478560a000a657b96bd868209ccdd83bc
Opcode Fuzzy Hash: dc189d85639479062f122a8228c85850626daf0971b7e789f912ddfe75d0518f
Instruction Fuzzy Hash: 16C17A74204201EFE714DF14C495F6ABBE5EF84318F14849DF69A8B2A3CB39E985CB91

Function 0073255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007325D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007325E8
CreateCompatibleDC.GDI32(?), ref: 007325F4
SelectObject.GDI32(00000000,?), ref: 00732601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0073266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007326AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007326D0
SelectObject.GDI32(?,?), ref: 007326D8
DeleteObject.GDI32(?), ref: 007326E1
DeleteDC.GDI32(?), ref: 007326E8
ReleaseDC.USER32(00000000,?), ref: 007326F3

Strings

(, xrefs: 0073268D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 9bd3191a19b37435cc0b0e8859561fc5b6934575c634eaf593a3d3846751856e
Instruction ID: 66c0c9c827b1f970adab1557b8b96576fde86501832ced0fc490aee666a19e54
Opcode Fuzzy Hash: 9bd3191a19b37435cc0b0e8859561fc5b6934575c634eaf593a3d3846751856e
Instruction Fuzzy Hash: 6C6112B5D00219EFDF05CFA4D884EAEBBB6FF48310F20842AE955A7251D774A941CF54

Function 006EDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 006EDAA1

Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED659
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED66B
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED67D
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED68F
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6A1
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6B3
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6C5
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6D7
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6E9
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED6FB
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED70D
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED71F
Part of subcall function 006ED63C: _free.LIBCMT ref: 006ED731

_free.LIBCMT ref: 006EDA96

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006EDAB8
_free.LIBCMT ref: 006EDACD
_free.LIBCMT ref: 006EDAD8
_free.LIBCMT ref: 006EDAFA
_free.LIBCMT ref: 006EDB0D
_free.LIBCMT ref: 006EDB1B
_free.LIBCMT ref: 006EDB26
_free.LIBCMT ref: 006EDB5E
_free.LIBCMT ref: 006EDB65
_free.LIBCMT ref: 006EDB82
_free.LIBCMT ref: 006EDB9A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6f30d1c02270d33bec1f5a7739fcfd5764dc05d3bfcf2ef7278b4a2581787d08
Instruction ID: d2219c7569e208f7eec80ad33a5d36fde5a19fd7a03c8d9dab7165f8cf1e5be8
Opcode Fuzzy Hash: 6f30d1c02270d33bec1f5a7739fcfd5764dc05d3bfcf2ef7278b4a2581787d08
Instruction Fuzzy Hash: 263180715063899FDB61AA3BD846B9A77EBFF00710F11442DE458DB292DF35AD408B24

Function 0071365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0071369C
_wcslen.LIBCMT ref: 007136A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00713797
GetClassNameW.USER32(?,?,00000400), ref: 0071380C
GetDlgCtrlID.USER32(?), ref: 0071385D
GetWindowRect.USER32(?,?), ref: 00713882
GetParent.USER32(?), ref: 007138A0
ScreenToClient.USER32(00000000), ref: 007138A7
GetClassNameW.USER32(?,?,00000100), ref: 00713921
GetWindowTextW.USER32(?,?,00000400), ref: 0071395D

Strings

%s%u, xrefs: 00713734

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: ceb798f55502e8795a5d4022b25ccaeb52d7cb1c01774d878774e44f1c3b3661
Instruction ID: 9d6744347efc6241b86adc23b4b2625c3cc5235bfc32ee2e46b9b9c58f3192fb
Opcode Fuzzy Hash: ceb798f55502e8795a5d4022b25ccaeb52d7cb1c01774d878774e44f1c3b3661
Instruction Fuzzy Hash: 6191D571204606AFD715DF28C885FEAF7A9FF44354F008629F999D21D0DB38EA85CBA1

Function 00714954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00714994
GetWindowTextW.USER32(?,?,00000400), ref: 007149DA
_wcslen.LIBCMT ref: 007149EB
CharUpperBuffW.USER32(?,00000000), ref: 007149F7
_wcsstr.LIBVCRUNTIME ref: 00714A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00714A64
GetWindowTextW.USER32(?,?,00000400), ref: 00714A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00714AE6
GetClassNameW.USER32(?,?,00000400), ref: 00714B20
GetWindowRect.USER32(?,?), ref: 00714B8B

Strings

ThumbnailClass, xrefs: 00714A6F, 00714AF1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8b916b9fbea4634a6301d4886533bb1156e073790b0542fb5509d71c473fdb22
Instruction ID: 00c3853e829081632ee30d09f6ed64e28b9758203938d539dfef892eed8bdf30
Opcode Fuzzy Hash: 8b916b9fbea4634a6301d4886533bb1156e073790b0542fb5509d71c473fdb22
Instruction Fuzzy Hash: A991BDB10082059FDB14CF18C985BEA77E9FF84354F04846AFD899A1D6DB38ED85CBA1

Function 00748D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00748D5A
GetFocus.USER32 ref: 00748D6A
GetDlgCtrlID.USER32(00000000), ref: 00748D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00748E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00748ECF
GetMenuItemCount.USER32(?), ref: 00748EEC
GetMenuItemID.USER32(?,00000000), ref: 00748EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00748F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00748F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00748FA1

Strings

0, xrefs: 00748E9F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 5257b8edd9f1d3e89821ad8dd74896ad0aabb83ef3e42e675032f403f9222d92
Instruction ID: 18f983848d0129204476532bb7704f6fb0aa4314ef92619627cf4554aab5ea09
Opcode Fuzzy Hash: 5257b8edd9f1d3e89821ad8dd74896ad0aabb83ef3e42e675032f403f9222d92
Instruction Fuzzy Hash: 0F81E071504319AFD790CF24C884EAFBBE9FB89310F14491EF99497291DB38D905CB62

Function 0071DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0071DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0071DC46
_wcslen.LIBCMT ref: 0071DC50
_wcsstr.LIBVCRUNTIME ref: 0071DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0071DCBC

Strings

StringFileInfo\, xrefs: 0071DC8F
DefaultLangCodepage, xrefs: 0071DD1F
04090000, xrefs: 0071DCF2
\VarFileInfo\Translation, xrefs: 0071DCB4
%u.%u.%u.%u, xrefs: 0071DD9A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 815a00eea666e8e93aa290152b967bbf46b1a497c7b1ca3528d18129cceda91d
Instruction ID: 21fecaa83f8592e08e94f4af4d7e3a1312d566b092184a15c33e1f6afd230c5a
Opcode Fuzzy Hash: 815a00eea666e8e93aa290152b967bbf46b1a497c7b1ca3528d18129cceda91d
Instruction Fuzzy Hash: 194104B2A402007ADB51A774AC43EFF376DDF56750F10406EF901A62C2EB789E008BB9

Function 0073CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0073CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0073CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0073CD48

Part of subcall function 0073CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0073CCAA
Part of subcall function 0073CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0073CCBD
Part of subcall function 0073CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0073CCCF
Part of subcall function 0073CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0073CD05
Part of subcall function 0073CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0073CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0073CCF3

Strings

RegDeleteKeyExW, xrefs: 0073CCC9
advapi32.dll, xrefs: 0073CCB8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: da68f03e76a6687b4f28c144728634a4ce3db1185a46fd45c7e732d4039fde82
Instruction ID: 7989e8a6416af7796235fa4f9831b1af70f4099ed57e4e5bc4b2e6d5e5306e56
Opcode Fuzzy Hash: da68f03e76a6687b4f28c144728634a4ce3db1185a46fd45c7e732d4039fde82
Instruction Fuzzy Hash: 503180B5A02128BBEB228B50DC88EFFBB7CEF06740F004165B905E6151DB389A45DBB0

Function 00723D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00723D40
_wcslen.LIBCMT ref: 00723D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00723D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00723DBE
RemoveDirectoryW.KERNEL32(?), ref: 00723DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00723E55
CloseHandle.KERNEL32(00000000), ref: 00723E60
CloseHandle.KERNEL32(00000000), ref: 00723E6B

Strings

\, xrefs: 00723D77
\??\%s, xrefs: 00723D5B
:, xrefs: 00723D82

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 8228518875a3ceb66981836cf6abd99fbf0d146043d179cfc14f2bca2e371ca3
Instruction ID: ec7457e62f88df81de3ea298ed7198ab4fa65530ac80ed3b07c7b05b50f3d915
Opcode Fuzzy Hash: 8228518875a3ceb66981836cf6abd99fbf0d146043d179cfc14f2bca2e371ca3
Instruction Fuzzy Hash: 5531A776A00119ABDB219FA0DC49FEF37BDEF89740F1041BAF509D6150E77897448B68

Function 0071E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0071E6B4

Part of subcall function 006CE551: timeGetTime.WINMM(?,?,0071E6D4), ref: 006CE555

Sleep.KERNEL32(0000000A), ref: 0071E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0071E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0071E727
SetActiveWindow.USER32 ref: 0071E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0071E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0071E773
Sleep.KERNEL32(000000FA), ref: 0071E77E
IsWindow.USER32 ref: 0071E78A
EndDialog.USER32(00000000), ref: 0071E79B

Strings

BUTTON, xrefs: 0071E719

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 86f04657c12da3857eb22ce220e0b6afe68a0f60802e806f5c879347756fa890
Instruction ID: 1541084a7d7a70ac03c6f747d6fdadc095ba0872e909aea5e65c840630c9bbcc
Opcode Fuzzy Hash: 86f04657c12da3857eb22ce220e0b6afe68a0f60802e806f5c879347756fa890
Instruction Fuzzy Hash: 8E21F6B4341204AFFB015F24EC89E653BA9F756749F64C425FC01815E2EB7D9C418B1C

Function 0071E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0071EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0071EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0071EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0071EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0071EAA7

Strings

open , xrefs: 0071EA0C
close PlayMe, xrefs: 0071EA6E, 0071EA9B
play PlayMe wait, xrefs: 0071EA91
status PlayMe mode, xrefs: 0071EA58
alias PlayMe, xrefs: 0071EA36
play PlayMe, xrefs: 0071EAA2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 84fce69420f7d1faa37cdcde91ae9cb11572e87cf18e70313fa39182b9be0351
Instruction ID: 994a503025440023c7fbc7ef6066310a47efc39b4e479efc28ec7f2de39a50c5
Opcode Fuzzy Hash: 84fce69420f7d1faa37cdcde91ae9cb11572e87cf18e70313fa39182b9be0351
Instruction Fuzzy Hash: B811E3B0A4026979DB20A3A5DC4ADFF6F7CEFD1F40F00442DB901A20D5EE741984CAB0

Function 00715CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00715CE2
GetWindowRect.USER32(00000000,?), ref: 00715CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00715D59
GetDlgItem.USER32(?,00000002), ref: 00715D69
GetWindowRect.USER32(00000000,?), ref: 00715D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00715DCF
GetDlgItem.USER32(?,000003E9), ref: 00715DDD
GetWindowRect.USER32(00000000,?), ref: 00715DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00715E31
GetDlgItem.USER32(?,000003EA), ref: 00715E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00715E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00715E67

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 29fa91cf1d96652f9ea42d4dfa9dacdd4de03f3de1d2dc6342bb3fb3cfb25bc1
Instruction ID: 5e27d780ffc7acf3dad2f047d1284ffd0a23701707601d0f3b3658c1d0296f7d
Opcode Fuzzy Hash: 29fa91cf1d96652f9ea42d4dfa9dacdd4de03f3de1d2dc6342bb3fb3cfb25bc1
Instruction Fuzzy Hash: 8F513E74B00605AFDF19CF68DD89AAEBBB5FB88300F148229F915E7290D7749E44CB51

Function 006C8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 006C8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,006C8BE8,?,00000000,?,?,?,?,006C8BBA,00000000,?), ref: 006C8FC5

DestroyWindow.USER32(?), ref: 006C8C81
KillTimer.USER32(00000000,?,?,?,?,006C8BBA,00000000,?), ref: 006C8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00706973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,006C8BBA,00000000,?), ref: 007069A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,006C8BBA,00000000,?), ref: 007069B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,006C8BBA,00000000), ref: 007069D4
DeleteObject.GDI32(00000000), ref: 007069E6

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: f90f41a4335dafb8c755deb0c8c97b836ac4a422f1a688a1c72315cb7dff2cd6
Instruction ID: 6cc0afc55d76e29eead762df713b935eae8d3f6b53c4e7676096b2c7d2ae4f29
Opcode Fuzzy Hash: f90f41a4335dafb8c755deb0c8c97b836ac4a422f1a688a1c72315cb7dff2cd6
Instruction Fuzzy Hash: 4A617931102600DFCB369F14D958B7577F2FB41312F65861DE0429BAA0CB39B992DF98

Function 006C9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 006C9944: GetWindowLongW.USER32(?,000000EB), ref: 006C9952

GetSysColor.USER32(0000000F), ref: 006C9862

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 4a2cbac5824d0b170daf1c5c0af8018c94ebdda0a412ba352d9e6bb99076fc44
Instruction ID: 1ac3911802627c89970e9e0ff3dda547d9a078e6412f544305a5c6a7addce44c
Opcode Fuzzy Hash: 4a2cbac5824d0b170daf1c5c0af8018c94ebdda0a412ba352d9e6bb99076fc44
Instruction Fuzzy Hash: 0941B5355066449FDB215F389C48FB937A6EB07330F148B0AF9A28B2E1D7359D42DB24

Function 006E8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.m, xrefs: 006E903A, 006E8FD0, 006E8FF2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: .m
API String ID: 0-2594521899
Opcode ID: a9f1fff96b8085e7ecee56876c9f7a763b1d76df5313b674f1c467d4e4d36fee
Instruction ID: 3fcc06089bea46b7603606af532b1f03c4280c155506fd6141ca272bce5eaba0
Opcode Fuzzy Hash: a9f1fff96b8085e7ecee56876c9f7a763b1d76df5313b674f1c467d4e4d36fee
Instruction Fuzzy Hash: 6EC11274D06389AFCB51DFAAC841BEDBBB2AF09310F54419DE519AB392C7348941CB74

Function 007196E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,006FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00719717
LoadStringW.USER32(00000000,?,006FF7F8,00000001), ref: 00719720

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,006FF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00719742
LoadStringW.USER32(00000000,?,006FF7F8,00000001), ref: 00719745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00719866

Strings

Line %d:, xrefs: 007197A0
%s (%d) : ==> %s: %s %s, xrefs: 0071984A
^ ERROR, xrefs: 007197FB
Error: , xrefs: 0071981D
Line %d (File "%s"):, xrefs: 0071978F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b78c9ea7cdf65586ae3e48fa699138487a089c53de96e38801d25fe9a56b74bd
Instruction ID: 923a4441e851f8dac0de0202906dbea9d89cffcddc6b10142d3a41d9a535f7d4
Opcode Fuzzy Hash: b78c9ea7cdf65586ae3e48fa699138487a089c53de96e38801d25fe9a56b74bd
Instruction Fuzzy Hash: 394171B2900219AACF44FBE4CD96DEE7779AF15340F604029F20572092EB396F89CB75

Function 007106DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007107A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007107BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007107DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00710804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0071082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00710837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0071083C

Strings

\IPC$, xrefs: 00710784
\CLSID, xrefs: 00710724
SOFTWARE\Classes\, xrefs: 0071070E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 17e8a30636db6a88b842f50e5cefaab6ad669d4d6320f11f8c4b42eda72d1aa1
Instruction ID: 5bea4741d9bbae5a098b812993c205530ff78c620287995081059ad02576e1a3
Opcode Fuzzy Hash: 17e8a30636db6a88b842f50e5cefaab6ad669d4d6320f11f8c4b42eda72d1aa1
Instruction Fuzzy Hash: 07413BB5C10229ABDF15EB94DC95CEDB779BF04350B14412AE901A71A0EB74AE84CBA4

Function 00733C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00733C5C
CoInitialize.OLE32(00000000), ref: 00733C8A
CoUninitialize.OLE32 ref: 00733C94
_wcslen.LIBCMT ref: 00733D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00733DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00733ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00733F0E
CoGetObject.OLE32(?,00000000,0074FB98,?), ref: 00733F2D
SetErrorMode.KERNEL32(00000000), ref: 00733F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00733FC4
VariantClear.OLEAUT32(?), ref: 00733FD8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 3c8091180d4603c25ce096bb0d59d6f9cecf992282e9b9e6178f8aada39325fe
Instruction ID: 45134cc16d51c20449a0fec94635ad478790fb8f25424bff879e45c5acfdcaa2
Opcode Fuzzy Hash: 3c8091180d4603c25ce096bb0d59d6f9cecf992282e9b9e6178f8aada39325fe
Instruction Fuzzy Hash: F8C168B16083059FE710DF68C88492BBBE9FF89744F00491DF98A9B252D735EE45CB62

Function 00727A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00727AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00727B8F
SHGetDesktopFolder.SHELL32(?), ref: 00727BA3
CoCreateInstance.OLE32(0074FD08,00000000,00000001,00776E6C,?), ref: 00727BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00727C74
CoTaskMemFree.OLE32(?,?), ref: 00727CCC
SHBrowseForFolderW.SHELL32(?), ref: 00727D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00727D7A
CoTaskMemFree.OLE32(00000000), ref: 00727D81
CoTaskMemFree.OLE32(00000000), ref: 00727DD6
CoUninitialize.OLE32 ref: 00727DDC

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 748dc4d7b1c5f047d1ff019a7ec5f28d38e3d6a7eedaff8fdef0ea0dc7dbd76b
Instruction ID: e0f7ec971918895b16cba591529fef41eae5ba0c2820de06e22170e0aeae02e4
Opcode Fuzzy Hash: 748dc4d7b1c5f047d1ff019a7ec5f28d38e3d6a7eedaff8fdef0ea0dc7dbd76b
Instruction Fuzzy Hash: 5CC15B75A00119AFCB14DFA4D984DAEBBF9FF48304B148499E81ADB361D734EE81CB94

Function 0074541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00745504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00745515
CharNextW.USER32(00000158), ref: 00745544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00745585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0074559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007455AC

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: bab783717c36295d3c2d768c0cafae826b00205c0c09fc0a8f8ecd87248c3c8d
Instruction ID: acc04f8fb2fc2ce79ff99a8daf40cd764f61bbaa3be92bd70aeca3e7fa1d50b1
Opcode Fuzzy Hash: bab783717c36295d3c2d768c0cafae826b00205c0c09fc0a8f8ecd87248c3c8d
Instruction Fuzzy Hash: C561C034905608EFDF119F64CC84DFE7BB9EF06720F108145F925AB292D7789A80DB61

Function 0070FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0070FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0070FB08
VariantInit.OLEAUT32(?), ref: 0070FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0070FB3A
VariantCopy.OLEAUT32(?,?), ref: 0070FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0070FBA1
VariantClear.OLEAUT32(?), ref: 0070FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0070FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0070FBCC
VariantClear.OLEAUT32(?), ref: 0070FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0070FBE9

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d0d9c1e9a92e7bd9d796c77e17764ef60b176eea2af68e6e6673081ba93b2d73
Instruction ID: bc507df3eceb9e78002deba2987398ff71f83ee90591bb4ef14eb68c13fb57f0
Opcode Fuzzy Hash: d0d9c1e9a92e7bd9d796c77e17764ef60b176eea2af68e6e6673081ba93b2d73
Instruction Fuzzy Hash: 6F417F75A00219DFCB11DFA8C8589AEBFB9FF48354F00C169E905A7261CB38A945CFA4

Function 00719C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00719CA1
GetAsyncKeyState.USER32(000000A0), ref: 00719D22
GetKeyState.USER32(000000A0), ref: 00719D3D
GetAsyncKeyState.USER32(000000A1), ref: 00719D57
GetKeyState.USER32(000000A1), ref: 00719D6C
GetAsyncKeyState.USER32(00000011), ref: 00719D84
GetKeyState.USER32(00000011), ref: 00719D96
GetAsyncKeyState.USER32(00000012), ref: 00719DAE
GetKeyState.USER32(00000012), ref: 00719DC0
GetAsyncKeyState.USER32(0000005B), ref: 00719DD8
GetKeyState.USER32(0000005B), ref: 00719DEA

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: eab592e8812992a6148be510514ea718ed365bcfff639a1133ba7fa2b031bb6c
Instruction ID: f63a3e8c13f8ce09b1a657489fecd113e5834ce8dc39b2137cd38a3347c59629
Opcode Fuzzy Hash: eab592e8812992a6148be510514ea718ed365bcfff639a1133ba7fa2b031bb6c
Instruction Fuzzy Hash: EE41D8346047C969FF718A78D4243F5FEF06B12344F08805ADBC6565C2E7AC99C9C7A2

Function 0073055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 007305BC
inet_addr.WSOCK32(?), ref: 0073061C
gethostbyname.WSOCK32(?), ref: 00730628
IcmpCreateFile.IPHLPAPI ref: 00730636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007306C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007306E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007307B9
WSACleanup.WSOCK32 ref: 007307BF

Strings

Ping, xrefs: 00730676

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a30e80b2ba9b3388a22abdedbe9e4af9b7bb02aae174c3e6d9e9099062e152ee
Instruction ID: 8f12bd5b8a32a83652e6ff1da7eb160c425cc8c7386c05d81796935e0ef65800
Opcode Fuzzy Hash: a30e80b2ba9b3388a22abdedbe9e4af9b7bb02aae174c3e6d9e9099062e152ee
Instruction Fuzzy Hash: 1A919D756042019FE720DF15C499F1ABBE5AF84318F1485A9F46A8B6A2C738ED81CFD1

Function 00738CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00738CF3

Part of subcall function 00718E54: _wcslen.LIBCMT ref: 00718E77

_wcslen.LIBCMT ref: 00738D4E
_wcslen.LIBCMT ref: 00738D9C
_wcslen.LIBCMT ref: 00738DDC
_wcslen.LIBCMT ref: 00738E6E

Strings

cdecl, xrefs: 00738D48, 00738D4D
winapi, xrefs: 00738D96, 00738D9B
none, xrefs: 00738E65, 00738E6A
stdcall, xrefs: 00738DD6, 00738DDB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d46b22bd2ff98cb1529f996e12a2501e850eeb503437473a60a74ecc695a1f86
Instruction ID: 72d88686c1ced6486c0be3d95662e21e09a7eba15b2e2d8ff5696f3500e07097
Opcode Fuzzy Hash: d46b22bd2ff98cb1529f996e12a2501e850eeb503437473a60a74ecc695a1f86
Instruction Fuzzy Hash: 06519072A002169BDF54DF68C9509BEB7A6BF68720B204229F426E7286DB38DD40C7D1

Function 0073372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00733774
CoUninitialize.OLE32 ref: 0073377F
CoCreateInstance.OLE32(?,00000000,00000017,0074FB78,?), ref: 007337D9
IIDFromString.OLE32(?,?), ref: 0073384C
VariantInit.OLEAUT32(?), ref: 007338E4
VariantClear.OLEAUT32(?), ref: 00733936

Strings

Invalid parameter, xrefs: 00733865
Failed to create object, xrefs: 007337E4, 0073389A
NULL Pointer assignment, xrefs: 0073381E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 0e329d6d20626317481d59137ed84660ff7a0b92f86cc7ae6b51e00a63493aac
Instruction ID: 257ada47150d6d74a904694f3e79c8e383a44cdb049f025daf25bc65f02dbe62
Opcode Fuzzy Hash: 0e329d6d20626317481d59137ed84660ff7a0b92f86cc7ae6b51e00a63493aac
Instruction Fuzzy Hash: 1961B2B1608301AFE321DF54C889F9AB7E8EF45715F00491DF5859B292C778EE84CBA6

Function 00748B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

Part of subcall function 006C912D: GetCursorPos.USER32(?), ref: 006C9141
Part of subcall function 006C912D: ScreenToClient.USER32(00000000,?), ref: 006C915E
Part of subcall function 006C912D: GetAsyncKeyState.USER32(00000001), ref: 006C9183
Part of subcall function 006C912D: GetAsyncKeyState.USER32(00000002), ref: 006C919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00748B6B
ImageList_EndDrag.COMCTL32 ref: 00748B71
ReleaseCapture.USER32 ref: 00748B77
SetWindowTextW.USER32(?,00000000), ref: 00748C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00748C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00748CFF

Strings

@GUI_DRAGFILE, xrefs: 00748C9A
p#x, xrefs: 00748C71
@GUI_DROPID, xrefs: 00748C51

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#x
API String ID: 1924731296-576312611
Opcode ID: a5125a9c33264308346207dcd0a605b36131c72f0d3284be663971cb9619ea27
Instruction ID: 8859d9a04dc7ddfd86a75dff16d1aecaade0a0e1da2e75191abd9973301ad1c9
Opcode Fuzzy Hash: a5125a9c33264308346207dcd0a605b36131c72f0d3284be663971cb9619ea27
Instruction Fuzzy Hash: 0D51A970105204AFD744EF20CC9AFAE77E9FB88710F50066DF956972A2CB38A944CB66

Function 00723388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007233CF

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007233F0

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00723504
Incorrect parameters to object property !, xrefs: 007234AB
^ ERROR , xrefs: 0072349E
Error: , xrefs: 007234D1
"%s" (%d) : ==> %s:, xrefs: 00723522
Line %d (File "%s"):, xrefs: 00723443, 0072345C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: e95ae93ed3c9accbb9b96efc98d80d94282711a25184a2725b8e0bf8299b06d1
Instruction ID: e6837ef4b496fec01ab68eb7bfb8f18b44b04dc215e6d9d489eea0742f783868
Opcode Fuzzy Hash: e95ae93ed3c9accbb9b96efc98d80d94282711a25184a2725b8e0bf8299b06d1
Instruction Fuzzy Hash: FE51D4B1900219ABDF15EBE0DD46EEEB7B9EF04340F208069F10972091DB396F98DB64

Function 0071B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0071B5FC
_wcslen.LIBCMT ref: 0071B608
_wcslen.LIBCMT ref: 0071B64D
_wcslen.LIBCMT ref: 0071B68C
_wcslen.LIBCMT ref: 0071B6C7

Strings

REMOVE, xrefs: 0071B602, 0071B607
KEYS, xrefs: 0071B647, 0071B64C
APPEND, xrefs: 0071B6C1, 0071B6C6
EXISTS, xrefs: 0071B686, 0071B68B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 66d03aed9c97e65250e896404fd060d165e5e18985ee1ce00302a9d8a51a4cb1
Instruction ID: d294dca768e16374fb9382c1aff41213b4b5296bf061b9737bd997da5e609d52
Opcode Fuzzy Hash: 66d03aed9c97e65250e896404fd060d165e5e18985ee1ce00302a9d8a51a4cb1
Instruction Fuzzy Hash: 2C41D532A001269BCB206F7DC9A05FEB7A5AFB0794B24412AE465DB2C4E739CDC1C790

Function 00725393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007253A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00725416
GetLastError.KERNEL32 ref: 00725420
SetErrorMode.KERNEL32(00000000,READY), ref: 007254A7

Strings

INVALID, xrefs: 00725459
READONLY, xrefs: 00725452
READY, xrefs: 00725460, 00725468
NOTREADY, xrefs: 0072544B
UNKNOWN, xrefs: 00725444

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 6fbcced46764f86402087712eb0eb3e9e3f9bdc1708b6abfe367f74e6195c85c
Instruction ID: 4989cf53a29fb510a7ad3a72114f77538cabc910115e733c4930d88edffbcce5
Opcode Fuzzy Hash: 6fbcced46764f86402087712eb0eb3e9e3f9bdc1708b6abfe367f74e6195c85c
Instruction Fuzzy Hash: E931F275A006549FDB10EF68D484EEABBB4FF05305F14806AE905CB292DB79DD86CBA0

Function 00743C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00743C79
SetMenu.USER32(?,00000000), ref: 00743C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00743D10
IsMenu.USER32(?), ref: 00743D24
CreatePopupMenu.USER32 ref: 00743D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00743D5B
DrawMenuBar.USER32 ref: 00743D63

Strings

0, xrefs: 00743C54
F, xrefs: 00743D4E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 242f47f4e2eda7a1a735ca1c7f244c4d0f6057b973352975fdee75aae33fffd1
Instruction ID: 5df3707d540fbea053ea993bfde0cd178f2ba867148a7cfd3a2fc158fa307db6
Opcode Fuzzy Hash: 242f47f4e2eda7a1a735ca1c7f244c4d0f6057b973352975fdee75aae33fffd1
Instruction Fuzzy Hash: BC415B79A01209AFDB14CF64D884AAEBBB5FF49351F144029F95A97360D738AA10CF94

Function 00711EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00711F64
GetDlgCtrlID.USER32 ref: 00711F6F
GetParent.USER32 ref: 00711F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00711F8E
GetDlgCtrlID.USER32(?), ref: 00711F97
GetParent.USER32(?), ref: 00711FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00711FAE

Strings

ComboBox, xrefs: 00711EEC
ListBox, xrefs: 00711F21

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 0fafba560b568f33ff3161245ee07857077e7b566366a66cc8a461fc04a320e9
Instruction ID: 5aba253d8b691dd15fd190170b0000ad7a973908d89a7896cfc08c67fc5e572c
Opcode Fuzzy Hash: 0fafba560b568f33ff3161245ee07857077e7b566366a66cc8a461fc04a320e9
Instruction Fuzzy Hash: 4821D3B4901114BBCF05AFA4CC84DEEBBB9AF06340F108546BA65672E1DB7849498B74

Function 00743A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00743A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00743AA0
GetWindowLongW.USER32(?,000000F0), ref: 00743AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00743AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00743B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00743BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00743BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00743BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00743BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00743C13

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5e61ed061bb50e34ac99766c8c673d60ef4029bc058e21ca6d7b5c52aecec862
Instruction ID: 5e029cab18a3dcd13c0f260a8f1c96525fba64106c6ef5be94ba0c671ce5f979
Opcode Fuzzy Hash: 5e61ed061bb50e34ac99766c8c673d60ef4029bc058e21ca6d7b5c52aecec862
Instruction Fuzzy Hash: 26617BB5900248AFDB11DFA8CC81EEE77B8EB09710F104199FA15E72A1C778AE45DF64

Function 0071B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0071B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B165
GetWindowThreadProcessId.USER32(00000000), ref: 0071B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0071B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0071A1E1,?,00000001), ref: 0071B21D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8e18ce43de426875b210c0056130ede996ed299960f373e47d0694e1f146db23
Instruction ID: 132d55a4a1c57935d3023f31133f2f12380e3a1dc52669a7d2625cb5a62233a6
Opcode Fuzzy Hash: 8e18ce43de426875b210c0056130ede996ed299960f373e47d0694e1f146db23
Instruction Fuzzy Hash: 5431C175541204BFDB119F6CDC59FAD7BAABB51711F21C005FA00DA1D0D7BC9A848F68

Function 006E2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006E2C94

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006E2CA0
_free.LIBCMT ref: 006E2CAB
_free.LIBCMT ref: 006E2CB6
_free.LIBCMT ref: 006E2CC1
_free.LIBCMT ref: 006E2CCC
_free.LIBCMT ref: 006E2CD7
_free.LIBCMT ref: 006E2CE2
_free.LIBCMT ref: 006E2CED
_free.LIBCMT ref: 006E2CFB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 62c54478eda431029f961ab5623a372eb874c2a6aa55f3b3a67ad08ad762ae34
Instruction ID: d831c0e0e6ef2d5ec9aebfd09143ba3f42bfc5fa3175d283f4e1b532aaeabe33
Opcode Fuzzy Hash: 62c54478eda431029f961ab5623a372eb874c2a6aa55f3b3a67ad08ad762ae34
Instruction Fuzzy Hash: E711073610124DAFCB42EF56D852CDC3BABFF05740F4254A8F9485F222D635EE509B94

Function 00727DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00727FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00727FC1
GetFileAttributesW.KERNEL32(?), ref: 00727FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00728005
SetCurrentDirectoryW.KERNEL32(?), ref: 00728017
SetCurrentDirectoryW.KERNEL32(?), ref: 00728060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 007280B0

Strings

*.*, xrefs: 00728066

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e40eb298e4804f73669955a7664c39ed12eaf90326b9440ac1bab830446443d0
Instruction ID: 994b4e7182dfbffb3031aa8b0ff02178fde1c7ea454b2174f0de6a65eccd5cb2
Opcode Fuzzy Hash: e40eb298e4804f73669955a7664c39ed12eaf90326b9440ac1bab830446443d0
Instruction Fuzzy Hash: C781F3729082509BCB68EF14D5449BEB3E9BF88310F154C5EF885C7250EB39DD44CB62

Function 006B5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 006B5C7A

Part of subcall function 006B5D0A: GetClientRect.USER32(?,?), ref: 006B5D30
Part of subcall function 006B5D0A: GetWindowRect.USER32(?,?), ref: 006B5D71
Part of subcall function 006B5D0A: ScreenToClient.USER32(?,?), ref: 006B5D99

GetDC.USER32 ref: 006F46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006F4708
SelectObject.GDI32(00000000,00000000), ref: 006F4716
SelectObject.GDI32(00000000,00000000), ref: 006F472B
ReleaseDC.USER32(?,00000000), ref: 006F4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006F47C4

Strings

U, xrefs: 006F4693

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3738e17a9aa78d743dd0c855bd808b393d04f962f6e6fa4977342992c2efb069
Instruction ID: 7db6c372a4cc01e164c53cde0de5c2e7b86bb8ddc3e3a9e0a02496d12a148054
Opcode Fuzzy Hash: 3738e17a9aa78d743dd0c855bd808b393d04f962f6e6fa4977342992c2efb069
Instruction Fuzzy Hash: F971E234400209DFCF219F64C984AFB7BB7FF4A360F144269EE565A666CB359882DF50

Function 0072359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007235E4

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

LoadStringW.USER32(00782390,?,00000FFF,?), ref: 0072360A

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00723724
^ ERROR, xrefs: 007236C9
Error: , xrefs: 007236EF
"%s" (%d) : ==> %s:, xrefs: 00723742
Line %d (File "%s"):, xrefs: 0072366B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0a163983cb00a756f10d779f9c17ba1c83027cbe3b791fc213c59734de5260c8
Instruction ID: ded86ba23346224bbef0508415b91fa07cb450c6715cb7c8486c5da74e86ffef
Opcode Fuzzy Hash: 0a163983cb00a756f10d779f9c17ba1c83027cbe3b791fc213c59734de5260c8
Instruction Fuzzy Hash: 7151A0B1900219BBCF15EBA0DC82EEEBB79AF04300F544129F205721A1DB395BD9DFA4

Function 0072C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0072C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0072C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0072C2CA
GetLastError.KERNEL32 ref: 0072C322
SetEvent.KERNEL32(?), ref: 0072C336
InternetCloseHandle.WININET(00000000), ref: 0072C341

Strings

, xrefs: 0072C2BB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 105e50f3ff8e697f38793be7edd4133da6dcf6a2c408512547ab1a591e00e591
Instruction ID: ce2bc080ba518d6ee8652a6918eb03e964db9cac5c2e4dc3f3100ceca7aa2057
Opcode Fuzzy Hash: 105e50f3ff8e697f38793be7edd4133da6dcf6a2c408512547ab1a591e00e591
Instruction Fuzzy Hash: EF31ADB1500614AFD723DF64AC88AAF7AFCEB6A740F10891EF44693201DB78DD048B61

Function 0071989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006F3AAF,?,?,Bad directive syntax error,0074CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007198BC
LoadStringW.USER32(00000000,?,006F3AAF,?), ref: 007198C3

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00719987

Strings

Line %d:, xrefs: 00719912
., xrefs: 0071996D
%s (%d) : ==> %s.: %s %s, xrefs: 007198F1
Error: , xrefs: 00719955
Line %d (File "%s"):, xrefs: 0071992D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 0d76561c1e3d5020f75377411b227523f416f7e2d1e2555429ac3e5d67f6bceb
Instruction ID: 54e3a64aae63e84b166dd599f2c5be8364389b669580f8b596940b3785da2f2e
Opcode Fuzzy Hash: 0d76561c1e3d5020f75377411b227523f416f7e2d1e2555429ac3e5d67f6bceb
Instruction Fuzzy Hash: E621947190021DFBCF55AF90CC1AEEE7776FF14340F048459F619650A2EB35A698CB24

Function 0071209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007120AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007120C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0071214D

Strings

SHELLDLL_DefView, xrefs: 007120CC
largeicons, xrefs: 007120E1
smallicons, xrefs: 00712115
list, xrefs: 0071212F
details, xrefs: 007120FB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 0d7952c2f809dd21c59385beb2f5cd8b109e0c2c7db0ed20d076b3c50a9372a1
Instruction ID: 7a9254753dbed41501303ff3d0ce6df32751dfd49aafcb9b6346deaf4f03032d
Opcode Fuzzy Hash: 0d7952c2f809dd21c59385beb2f5cd8b109e0c2c7db0ed20d076b3c50a9372a1
Instruction Fuzzy Hash: AD110DBA68470AB6FB156328DC06DFA379CCB05364B20411BFB04A51E2FFAD5C936518

Function 006ECE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 006ECEB7
_free.LIBCMT ref: 006ECF22
_free.LIBCMT ref: 006ECF48
_free.LIBCMT ref: 006ECF71
_free.LIBCMT ref: 006ECFA9
_free.LIBCMT ref: 006ECFDA
_free.LIBCMT ref: 006ED01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 006ED09C
_free.LIBCMT ref: 006ED0B5

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: ca93df6e0af6ed1b564dbddfd1fbd9fa2d3c10bef35cac371ac4f6046fc42f2b
Instruction ID: 086ab4a2f821140772cdd8fd77e904749748a747fe97350b4dc157d384f9d77e
Opcode Fuzzy Hash: ca93df6e0af6ed1b564dbddfd1fbd9fa2d3c10bef35cac371ac4f6046fc42f2b
Instruction Fuzzy Hash: D6618B72A063C1AFDB21AFB79C51AA97B9BEF01330F14416DF8009B382D6359D0687A4

Function 007450D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00745186
ShowWindow.USER32(?,00000000), ref: 007451C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007451CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007451D1

Part of subcall function 00746FBA: DeleteObject.GDI32(00000000), ref: 00746FE6

GetWindowLongW.USER32(?,000000F0), ref: 0074520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0074521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0074524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00745287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00745296

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 00e42bb136be8d441d95e66c23f6f4e7ba87692bfa9b82ffafaadc227037d665
Instruction ID: d5859c99a7e746a96d544947b1ffe84a2c2bd52013a99139661fa90f884f5b3d
Opcode Fuzzy Hash: 00e42bb136be8d441d95e66c23f6f4e7ba87692bfa9b82ffafaadc227037d665
Instruction Fuzzy Hash: B6519F70A41A0CFFEF209F28CC49B993B65FB05321F148117F615962E2C7BDA980DB51

Function 006C8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00706890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007068A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007068B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007068D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007068F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006C8874,00000000,00000000,00000000,000000FF,00000000), ref: 00706901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0070691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006C8874,00000000,00000000,00000000,000000FF,00000000), ref: 0070692D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: a4a408ed4f9025a7e1d533f84fbed6eda9b9981cf5c5d1d799d7e945103ad91c
Instruction ID: 5ef0c92aed200a493f0e52419bd1b4cd5f38b690385a2aed6f371513e71c8164
Opcode Fuzzy Hash: a4a408ed4f9025a7e1d533f84fbed6eda9b9981cf5c5d1d799d7e945103ad91c
Instruction Fuzzy Hash: 44516670600209EFDB208F24CC55FAA7BB6EB58750F10861DF906972E0DB78EDA1DB54

Function 0072C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0072C182
GetLastError.KERNEL32 ref: 0072C195
SetEvent.KERNEL32(?), ref: 0072C1A9

Part of subcall function 0072C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0072C272
Part of subcall function 0072C253: GetLastError.KERNEL32 ref: 0072C322
Part of subcall function 0072C253: SetEvent.KERNEL32(?), ref: 0072C336
Part of subcall function 0072C253: InternetCloseHandle.WININET(00000000), ref: 0072C341

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: cbd2d79a2fc1dac4b8cf3a198a7e6cc4fa882baa41a224bb63c3afe23f3e3497
Instruction ID: 5dec64629418de808f86c6ca9a4abff0b673a3ee06521f4b38d11e8f227d9c65
Opcode Fuzzy Hash: cbd2d79a2fc1dac4b8cf3a198a7e6cc4fa882baa41a224bb63c3afe23f3e3497
Instruction Fuzzy Hash: E131AE75201615EFDB239FA5EC04A6ABBF8FF29300B04841EF95687610DB39E810DBA0

Function 007125A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00713A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00713A57
Part of subcall function 00713A3D: GetCurrentThreadId.KERNEL32 ref: 00713A5E
Part of subcall function 00713A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007125B3), ref: 00713A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007125BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007125DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007125DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007125E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00712601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00712605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0071260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00712623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00712627

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f8a1a5a81d53f781d658e46ea7d3dc07d292791b5c1a3013cb82dc8f4d0c266c
Instruction ID: aaed79de9e49aa02e8ebb21d737f1863ed21b7b19c83600cc71057a7c50be077
Opcode Fuzzy Hash: f8a1a5a81d53f781d658e46ea7d3dc07d292791b5c1a3013cb82dc8f4d0c266c
Instruction Fuzzy Hash: 2301D870391214BBFB1067689C8EF993F59DF4FB11F104042F318AE0D1CAE518458AAE

Function 00711803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00711449,?,?,00000000), ref: 0071180C
HeapAlloc.KERNEL32(00000000,?,00711449,?,?,00000000), ref: 00711813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00711449,?,?,00000000), ref: 00711828
GetCurrentProcess.KERNEL32(?,00000000,?,00711449,?,?,00000000), ref: 00711830
DuplicateHandle.KERNEL32(00000000,?,00711449,?,?,00000000), ref: 00711833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00711449,?,?,00000000), ref: 00711843
GetCurrentProcess.KERNEL32(00711449,00000000,?,00711449,?,?,00000000), ref: 0071184B
DuplicateHandle.KERNEL32(00000000,?,00711449,?,?,00000000), ref: 0071184E
CreateThread.KERNEL32(00000000,00000000,00711874,00000000,00000000,00000000), ref: 00711868

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 7d7314d8804911dff4a82177bc18055bfe0c1e59cc34b0aa96480ada357d5b26
Instruction ID: 25f60eeaecd85b84fcaa7b63c80a9cfc9d9c9d8453c56c07c6694ec65f4b3644
Opcode Fuzzy Hash: 7d7314d8804911dff4a82177bc18055bfe0c1e59cc34b0aa96480ada357d5b26
Instruction Fuzzy Hash: 5301BFB5241308BFE751AFA5DC4EF573B6CEB8AB11F418411FA05DB191C6749C00CB24

Function 0073A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0071D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0071D501
Part of subcall function 0071D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0071D50F
Part of subcall function 0071D4DC: CloseHandle.KERNELBASE(00000000), ref: 0071D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0073A16D
GetLastError.KERNEL32 ref: 0073A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0073A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0073A268
GetLastError.KERNEL32(00000000), ref: 0073A273
CloseHandle.KERNEL32(00000000), ref: 0073A2C4

Strings

SeDebugPrivilege, xrefs: 0073A18F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5f58d82fc6122f5915338b3fda231a889eceeda3f4d3da2e1f2143df81d8c841
Instruction ID: 6c34c2ce58ba872d6306db29574f9d55e335b95e08ebb6edf1f50d3d93f377ce
Opcode Fuzzy Hash: 5f58d82fc6122f5915338b3fda231a889eceeda3f4d3da2e1f2143df81d8c841
Instruction Fuzzy Hash: 3861B171204241AFE710DF18C495F66BBE1AF84318F14848CE4A64B7A3C77AED85CB96

Function 00743886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00743925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0074393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00743954
_wcslen.LIBCMT ref: 00743999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007439C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007439F4

Strings

SysListView32, xrefs: 007438F7

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: a364db9f1b224de7b06c3660595f73dae34345ee81ff072c4a7111bbfd22b17e
Instruction ID: 34615bd157b1756825997ca5e69ffcb300990de2bcf97786c04077828e9b2e60
Opcode Fuzzy Hash: a364db9f1b224de7b06c3660595f73dae34345ee81ff072c4a7111bbfd22b17e
Instruction Fuzzy Hash: 8541B571A00318ABEF219F64CC49FEA7BA9EF08354F10456AF958E7281D7799D80CB94

Function 0071BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0071BCFD
IsMenu.USER32(00000000), ref: 0071BD1D
CreatePopupMenu.USER32 ref: 0071BD53
GetMenuItemCount.USER32(012D4B80), ref: 0071BDA4
InsertMenuItemW.USER32(012D4B80,?,00000001,00000030), ref: 0071BDCC

Strings

2, xrefs: 0071BD37
0, xrefs: 0071BCA8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: ba1685334ab682698b2378f960772477646fb84656c5f0ae37141f99b2e4c874
Instruction ID: 8715ab986d2d5e78b3bcd53fe494ea1b46e59ed14bacd30aa9775dabda105206
Opcode Fuzzy Hash: ba1685334ab682698b2378f960772477646fb84656c5f0ae37141f99b2e4c874
Instruction Fuzzy Hash: 65519070700205DBDB19CFACE889BEDBBF4AF49314F248159E491E72D0D778A981CB61

Function 006D2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006D2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 006D2D53
_ValidateLocalCookies.LIBCMT ref: 006D2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 006D2E0C
_ValidateLocalCookies.LIBCMT ref: 006D2E61

Strings

csm, xrefs: 006D2DF6
&Hm, xrefs: 006D2DFE, 006D2E07, 006D2E18

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hm$csm
API String ID: 1170836740-972173557
Opcode ID: 01337779ccfebb4ac62c1f756822e166491050308c18d0b449d564657c16b73d
Instruction ID: aabbd29d94f4ad1587e489600f5bf2fbc6e790ee92dbf189739e721fd370bc1f
Opcode Fuzzy Hash: 01337779ccfebb4ac62c1f756822e166491050308c18d0b449d564657c16b73d
Instruction Fuzzy Hash: 21419534E0021A9BCF10DF68C855ADEBBB7BF55314F14815AE814AB392D7359A05CBD1

Function 0071C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0071C913

Strings

warning, xrefs: 0071C8FC
question, xrefs: 0071C8CC
info, xrefs: 0071C8B4
blank, xrefs: 0071C895
stop, xrefs: 0071C8E4

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2c6504ca634087fb63a1aa8f705c24b6352278096964e1fd860820845dcb7e39
Instruction ID: 16121e5c00f46ed1f26826a26935287cec77e64590d89ffea5d9717b0189f65f
Opcode Fuzzy Hash: 2c6504ca634087fb63a1aa8f705c24b6352278096964e1fd860820845dcb7e39
Instruction Fuzzy Hash: A5112E716C9706BFA706579C9CC3CEE279CDF153A4B10402FF504AA2C1DB7C6D805268

Function 0071DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0071DE42
gethostname.WSOCK32(?,00000100), ref: 0071DE5C
gethostbyname.WSOCK32(?), ref: 0071DE69
inet_ntoa.WSOCK32(?), ref: 0071DEAB
_strcat.LIBCMT ref: 0071DEB9
WSACleanup.WSOCK32 ref: 0071DEDE

Strings

0.0.0.0, xrefs: 0071DE87

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: ac7f75875bc8e5fa2ab19f6d361b8e5bb4a9bb287c18f6291c4ad6d58f3a09bc
Instruction ID: 75e82e1cc4e0c3bec499d5189b650ca41afea24db0ed8f55a11d51ad1e616b29
Opcode Fuzzy Hash: ac7f75875bc8e5fa2ab19f6d361b8e5bb4a9bb287c18f6291c4ad6d58f3a09bc
Instruction Fuzzy Hash: 63113371904108ABCB71AB389C0AEEE37ADDF11312F00016AF405AA1D1EF78CEC48E64

Function 0071ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0071ED2A
_wcslen.LIBCMT ref: 0071ED3B
_wcslen.LIBCMT ref: 0071ED79
_wcslen.LIBCMT ref: 0071EDAF
_wcslen.LIBCMT ref: 0071EDDF
_wcslen.LIBCMT ref: 0071EDEF
_wcslen.LIBCMT ref: 0071EE2B
_wcslen.LIBCMT ref: 0071EE5A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 4b843081a879f384bd1118254d93f856e3642425cbead6d451930eb3eb90ce8e
Instruction ID: 15174b7ce81b080e6a75b44caba578adb207e34c4a27555d95502b52784f00fd
Opcode Fuzzy Hash: 4b843081a879f384bd1118254d93f856e3642425cbead6d451930eb3eb90ce8e
Instruction Fuzzy Hash: 4141B265C1011866CB51EBB4CC8A9CFB3A9AF45300F00846BFA14E3262FB34E745C3E9

Function 006CF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0070682C,00000004,00000000,00000000), ref: 006CF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0070682C,00000004,00000000,00000000), ref: 0070F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0070682C,00000004,00000000,00000000), ref: 0070F454

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9b392c8af5e00c3e1f2028f051c52658bd7255d43e33da4391552732417e3d22
Instruction ID: 8df2839a51703fde9ca5551b9e0162085dc632840296337e9ee0464b0d9fcf54
Opcode Fuzzy Hash: 9b392c8af5e00c3e1f2028f051c52658bd7255d43e33da4391552732417e3d22
Instruction Fuzzy Hash: 55410B31604680FACF799B29C888F7ABBD7EB57314F14853EF44796AA0C739A881C751

Function 00742D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00742D1B
GetDC.USER32(00000000), ref: 00742D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00742D2E
ReleaseDC.USER32(00000000,00000000), ref: 00742D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00742D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00742D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00745A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00742DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00742DE1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ea69923605eb8e7e0a43fb22d5e75ba468690fb2b4f7220a0f2fc55d0b2cdd61
Instruction ID: 1d5fff87927699ba3ba26d008b70311c3ad08642ed6f6ebe662fd0ece5c989ed
Opcode Fuzzy Hash: ea69923605eb8e7e0a43fb22d5e75ba468690fb2b4f7220a0f2fc55d0b2cdd61
Instruction Fuzzy Hash: 40317176202614BFEB154F50CC49FEB3FA9EF0A715F048056FE089A1A1C7799C51CBA5

Function 00715622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00715637
_memcmp.LIBVCRUNTIME ref: 00715659
_memcmp.LIBVCRUNTIME ref: 00715671
_memcmp.LIBVCRUNTIME ref: 00715684
_memcmp.LIBVCRUNTIME ref: 0071569E
_memcmp.LIBVCRUNTIME ref: 007156B1
_memcmp.LIBVCRUNTIME ref: 007156C9
_memcmp.LIBVCRUNTIME ref: 007156E4

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e99b8f75366bff7ede4608c42025d7e75bb23dd0c9fcd12d7e794c16405fcbe4
Instruction ID: 643f31d8a3433a9523e4a1b5d2a2245364aabb31f3bf018ae94d3bced4f68700
Opcode Fuzzy Hash: e99b8f75366bff7ede4608c42025d7e75bb23dd0c9fcd12d7e794c16405fcbe4
Instruction Fuzzy Hash: 982198B1A40905FBD31C55295D92FFA235DAFA2784B440025FD045A6C2FB68ED5082E9

Function 00734FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00735007
NULL Pointer assignment, xrefs: 0073502E, 00735383

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4b30b0e5af98dbf950afbb059ac948e6a73b84b72376e90a433b079e9d71f8f1
Instruction ID: 0c0cddcfc2d6e0e1ff37dbc25bc47ee85bb3656234550114dcb805ef2a7a88f6
Opcode Fuzzy Hash: 4b30b0e5af98dbf950afbb059ac948e6a73b84b72376e90a433b079e9d71f8f1
Instruction Fuzzy Hash: EED1D6B1A0060A9FEF14CFA8C881FAEB7B5FF48344F148069E915AB282D775DD41CB90

Function 006F1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006F17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006F15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006F1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006F17FB,?,006F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006F16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006F16FB

Part of subcall function 006E3820: RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006F17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006F1777
__freea.LIBCMT ref: 006F17A2
__freea.LIBCMT ref: 006F17AE

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 27da0a6b8c2198de5da3a261f1a985914481cff629ee698bacc47783be003309
Instruction ID: 445dd104d4fe2a240b7624fcefe25b43d8500be2db6363672527d9d8d04fed03
Opcode Fuzzy Hash: 27da0a6b8c2198de5da3a261f1a985914481cff629ee698bacc47783be003309
Instruction Fuzzy Hash: C891C4B1E0021EDADF209E74C891AFE7BB6AF4A390F184659EA05EF251D735DC41CB60

Function 00734523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00734648
VariantInit.OLEAUT32(?), ref: 00734749
VariantClear.OLEAUT32(?), ref: 00734753
VariantClear.OLEAUT32(?), ref: 007347B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007345D8, 00734706, 007347BE
Incorrect Object type in FOR..IN loop, xrefs: 0073472C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 84df0bed6dbe28abcff4bcef0c0c3041f2b4cb74698659b5b7b6f38c5cb7a79e
Instruction ID: b145a95e06cc893cd670fc2d37afef69988778e6a78f353aa5a71b316b9c300f
Opcode Fuzzy Hash: 84df0bed6dbe28abcff4bcef0c0c3041f2b4cb74698659b5b7b6f38c5cb7a79e
Instruction Fuzzy Hash: E3919471A00219EBEF28CFA4CC45FAE7BB8EF46714F108559F505AB281D778A941CFA0

Function 00721187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0072125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00721284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007212A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007212D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0072135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007213C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00721430

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 0e31c21dafaeab3e263c30ea9c0ee1a1b6087b3747962287bf8d9ae2ce9d7a12
Instruction ID: b7bbf7d0c5eadb48d70f8e36541a92f2bf319f9ad1ae5e85c14b4e1f4c339826
Opcode Fuzzy Hash: 0e31c21dafaeab3e263c30ea9c0ee1a1b6087b3747962287bf8d9ae2ce9d7a12
Instruction Fuzzy Hash: 2F91F475A00229DFDB00DFA8E884BBE77B6FF55324F514029E900E7291D77CA941CBA4

Function 006C948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 65ac1adaecb2801d0f27924e83aac239306ec3b57b2cffbe8395ac0f4c62ebe2
Instruction ID: 93f5ed3c5222834db9b89418675ae30d20dfa39689adb71d91d36e7a3e92996f
Opcode Fuzzy Hash: 65ac1adaecb2801d0f27924e83aac239306ec3b57b2cffbe8395ac0f4c62ebe2
Instruction Fuzzy Hash: 69913671D00219EFCB15CFA9CC88AEEBBB9FF49320F148159E515B7291D378A942CB60

Function 00733947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0073396B
CharUpperBuffW.USER32(?,?), ref: 00733A7A
_wcslen.LIBCMT ref: 00733A8A
VariantClear.OLEAUT32(?), ref: 00733C1F

Part of subcall function 00720CDF: VariantInit.OLEAUT32(00000000), ref: 00720D1F
Part of subcall function 00720CDF: VariantCopy.OLEAUT32(?,?), ref: 00720D28
Part of subcall function 00720CDF: VariantClear.OLEAUT32(?), ref: 00720D34

Strings

AUTOIT.ERROR, xrefs: 00733A80, 00733A85
Incorrect Parameter format, xrefs: 007339A6, 00733BA1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: bce5fbd5583ebdd7b6d60232d2574a6a8abafa6210bde52ecd56811c3cddc7de
Instruction ID: fa12f85095fb97e532dd6efecbab244f532bd5316c1493aadcddbb58232b66fe
Opcode Fuzzy Hash: bce5fbd5583ebdd7b6d60232d2574a6a8abafa6210bde52ecd56811c3cddc7de
Instruction Fuzzy Hash: A19167B56083019FC714DF28C48196AB7E5FF89314F14882DF88A9B352DB39EE45CB92

Function 00734BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0071000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?,?,0071035E), ref: 0071002B
Part of subcall function 0071000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710046
Part of subcall function 0071000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710054
Part of subcall function 0071000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?), ref: 00710064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00734C51
_wcslen.LIBCMT ref: 00734D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00734DCF
CoTaskMemFree.OLE32(?), ref: 00734DDA

Strings

NULL Pointer assignment, xrefs: 00734E23, 00734E52

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: b0542325775b2dda0996beff0cfc6ca316c7281b2607c208473922c5426973e4
Instruction ID: ba5a5757a5a00bb07855848c8b3ff3211126e4651acfe1350c1271ef2c8b8bd5
Opcode Fuzzy Hash: b0542325775b2dda0996beff0cfc6ca316c7281b2607c208473922c5426973e4
Instruction Fuzzy Hash: 129107B1D00219AFDF14DFA4C891AEEB7B9BF08310F10856AE915A7251DB34AA45CFA0

Function 007420FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00742183
GetMenuItemCount.USER32(00000000), ref: 007421B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007421DD
_wcslen.LIBCMT ref: 00742213
GetMenuItemID.USER32(?,?), ref: 0074224D
GetSubMenu.USER32(?,?), ref: 0074225B

Part of subcall function 00713A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00713A57
Part of subcall function 00713A3D: GetCurrentThreadId.KERNEL32 ref: 00713A5E
Part of subcall function 00713A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007125B3), ref: 00713A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007422E3

Part of subcall function 0071E97B: Sleep.KERNEL32 ref: 0071E9F3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 322c67819a847184ed8ce36df5ac5d4141ca7597c68068fa74c9bfbafb91ab50
Instruction ID: a5efb07abee6c3bdeb1243675a8b581c2f4eb88f7e6b6353ef3ae0dcfac4e29c
Opcode Fuzzy Hash: 322c67819a847184ed8ce36df5ac5d4141ca7597c68068fa74c9bfbafb91ab50
Instruction Fuzzy Hash: 57718175A00205AFCB50DF64C845AAEB7F6FF89310F518459F816EB352DB78ED428B90

Function 00747E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(012D4B08), ref: 00747F37
IsWindowEnabled.USER32(012D4B08), ref: 00747F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 0074801E
SendMessageW.USER32(012D4B08,000000B0,?,?), ref: 00748051
IsDlgButtonChecked.USER32(?,?), ref: 00748089
GetWindowLongW.USER32(012D4B08,000000EC), ref: 007480AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 007480C3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 54b5509ca2abd41ed31a6dc5bd87e74289b3fb2f09fd52e072ab52923f40fe14
Instruction ID: 735ff528875693d29cdb19113c9d00d29adfcaa18f1e712b5da3aed36b98b8da
Opcode Fuzzy Hash: 54b5509ca2abd41ed31a6dc5bd87e74289b3fb2f09fd52e072ab52923f40fe14
Instruction Fuzzy Hash: 5E71A334608208AFEB29DF54CC84FBE7BB9EF0A300F14445AF94557261CB39AC4ADB11

Function 0071AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0071AEF9
GetKeyboardState.USER32(?), ref: 0071AF0E
SetKeyboardState.USER32(?), ref: 0071AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0071AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0071AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0071AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0071B020

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7af5cdc573d45b7c3ac3b8be34aa509260e7dc45aba4d80460c0c69a8e280647
Instruction ID: 0d13e62d4cfcbbedc54c99bb4bbf229b97b0f34aee13a6cfdad07f47047db57f
Opcode Fuzzy Hash: 7af5cdc573d45b7c3ac3b8be34aa509260e7dc45aba4d80460c0c69a8e280647
Instruction Fuzzy Hash: 4451B3A06057D53DFB3682388C49BFA7EA95B06304F088589F1D9554C2C3ACEDC9D761

Function 0071ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0071AD19
GetKeyboardState.USER32(?), ref: 0071AD2E
SetKeyboardState.USER32(?), ref: 0071AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0071ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0071ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0071AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0071AE38

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 4c1a08fda6a73300d763cafc73d98dddd11678dc4c50cc780352026f9a8c9620
Instruction ID: 93a520f0ea1c79b5e69e7eae274fc3e2d42fc1e7b9b70b14eee4bf28d1380188
Opcode Fuzzy Hash: 4c1a08fda6a73300d763cafc73d98dddd11678dc4c50cc780352026f9a8c9620
Instruction Fuzzy Hash: 3D51D7A16057D53DFB3783388C56BFA7EA96B46300F088589E1D5468C2D3ACECD8D752

Function 006E542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(006F3CD6,?,?,?,?,?,?,?,?,006E5BA3,?,?,006F3CD6,?,?), ref: 006E5470
__fassign.LIBCMT ref: 006E54EB
__fassign.LIBCMT ref: 006E5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,006F3CD6,00000005,00000000,00000000), ref: 006E552C
WriteFile.KERNEL32(?,006F3CD6,00000000,006E5BA3,00000000,?,?,?,?,?,?,?,?,?,006E5BA3,?), ref: 006E554B
WriteFile.KERNEL32(?,?,00000001,006E5BA3,00000000,?,?,?,?,?,?,?,?,?,006E5BA3,?), ref: 006E5584

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: df4848d3edda679db74b1bc5743c96aab233fefac24f2f257ac10cca4ee6c478
Instruction ID: d319719fb412ad35f286643af46aa8654f3b7501c81a7b02dbf36d7a6b715b64
Opcode Fuzzy Hash: df4848d3edda679db74b1bc5743c96aab233fefac24f2f257ac10cca4ee6c478
Instruction Fuzzy Hash: 3751F6B0A017889FDB11CFA9D845AEEBBF6EF09304F24405AF556E7391E7309A41CB64

Function 007310B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0073304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0073307A
Part of subcall function 0073304E: _wcslen.LIBCMT ref: 0073309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00731112
WSAGetLastError.WSOCK32 ref: 00731121
WSAGetLastError.WSOCK32 ref: 007311C9
closesocket.WSOCK32(00000000), ref: 007311F9

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4dfcf43c93c6eb42513084cb9d584186ecbc678b996c219a74e660c14612d8ab
Instruction ID: b7cf8732e7410b4a2fb27b387ba18ac08fcb8caaedc5d2b4e46381deaff23314
Opcode Fuzzy Hash: 4dfcf43c93c6eb42513084cb9d584186ecbc678b996c219a74e660c14612d8ab
Instruction Fuzzy Hash: 83410535600218AFEB119F14C884BEAB7EAEF45324F14C059FD059B292C778EE81CBE5

Function 0071CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0071DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0071CF22,?), ref: 0071DDFD

Part of subcall function 0071DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0071CF22,?), ref: 0071DE16

lstrcmpiW.KERNEL32(?,?), ref: 0071CF45
MoveFileW.KERNEL32(?,?), ref: 0071CF7F
_wcslen.LIBCMT ref: 0071D005
_wcslen.LIBCMT ref: 0071D01B
SHFileOperationW.SHELL32(?), ref: 0071D061

Strings

\*.*, xrefs: 0071CFF3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 8f8e26c9d7ca1af20fe4e1ed542c688c88d6643f863365dc77697314116bcbfe
Instruction ID: a726eb2b3e87afd940c2d0449847c3145ccbfaf17483e8d61dbe0768b8e187f0
Opcode Fuzzy Hash: 8f8e26c9d7ca1af20fe4e1ed542c688c88d6643f863365dc77697314116bcbfe
Instruction Fuzzy Hash: 294166729451189FDF12EFA8D981ADD77BDAF08380F1400EAE505EB181EB38AA85CB54

Function 00742DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00742E1C
GetWindowLongW.USER32(?,000000F0), ref: 00742E4F
GetWindowLongW.USER32(?,000000F0), ref: 00742E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00742EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00742EE0
GetWindowLongW.USER32(?,000000F0), ref: 00742EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00742F0B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ab881e99e480e1679cb8bd91c17967906cc54e406f0bebba68073278e47e5f15
Instruction ID: 053d7ec035027f27bd06b526f77ef85b2787272bb33d8ef4cb5d67269703134c
Opcode Fuzzy Hash: ab881e99e480e1679cb8bd91c17967906cc54e406f0bebba68073278e47e5f15
Instruction Fuzzy Hash: B2315734645160AFDB21CF18DC88F6537E4FB4A710FA680A5F9148F2B2CB79AC52DB05

Function 00717726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00717769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0071778F
SysAllocString.OLEAUT32(00000000), ref: 00717792
SysAllocString.OLEAUT32(?), ref: 007177B0
SysFreeString.OLEAUT32(?), ref: 007177B9
StringFromGUID2.OLE32(?,?,00000028), ref: 007177DE
SysAllocString.OLEAUT32(?), ref: 007177EC

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 4cd53b013addc4b60c1cf3ed7078fd3b295ee280728eb08b309aa337b5e4d2ae
Instruction ID: 5e3540b6ba8636a3ee5bd31280bf1acb681788203163d2203ef4bad2341bd4b0
Opcode Fuzzy Hash: 4cd53b013addc4b60c1cf3ed7078fd3b295ee280728eb08b309aa337b5e4d2ae
Instruction Fuzzy Hash: 8621DE7A604209AFDB00EFACCC88CFB77ACEB09360B008026BA15DB1D0D678DC81C764

Function 007177FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00717842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00717868
SysAllocString.OLEAUT32(00000000), ref: 0071786B
SysAllocString.OLEAUT32 ref: 0071788C
SysFreeString.OLEAUT32 ref: 00717895
StringFromGUID2.OLE32(?,?,00000028), ref: 007178AF
SysAllocString.OLEAUT32(?), ref: 007178BD

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a2ae2e43ec8daad4523dc127ab7f2457566e6fbf50aa7d43ba9689e148ffe787
Instruction ID: c9b96fdc156db6eec65125814a64dd848f399d0f23453f1fc08dd7da00cb5948
Opcode Fuzzy Hash: a2ae2e43ec8daad4523dc127ab7f2457566e6fbf50aa7d43ba9689e148ffe787
Instruction Fuzzy Hash: 2D216075609204AFDB14AFACDC88DEA77BCEB097607108125F915CB2A1DB78DC81CB78

Function 007204D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007204F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0072052E

Strings

nul, xrefs: 00720567

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 168cd48d608dcbc6af130ddce8715ed3691fdc970f4da8df956aaa65eeb91b62
Instruction ID: d0a571306c8edfffde3e619425e6c09ad88ee6c74346df5fef5929a54ee34713
Opcode Fuzzy Hash: 168cd48d608dcbc6af130ddce8715ed3691fdc970f4da8df956aaa65eeb91b62
Instruction Fuzzy Hash: D32162756003199BDB209F2AEC44E5A77F4BF45724F204A19F8A1D61E1D7B49960CFB0

Function 007205A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007205C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00720601

Strings

nul, xrefs: 00720639

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 749c2ec1e94ec93bfd3fd2e2859ab10aec7abb41caecc051191c342de1a7b386
Instruction ID: 4e3120ad60b51f5c5ab2d09a8b20f72d4c70e47c8aa3c89428e49a2f5f022263
Opcode Fuzzy Hash: 749c2ec1e94ec93bfd3fd2e2859ab10aec7abb41caecc051191c342de1a7b386
Instruction Fuzzy Hash: 7021B5755003259FDB208F69EC08A5A77F4BF85720F204A19F8A1E32E1D7B89860CBB0

Function 007440AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006B604C
Part of subcall function 006B600E: GetStockObject.GDI32(00000011), ref: 006B6060
Part of subcall function 006B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006B606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00744112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0074411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0074412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00744139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00744145

Strings

Msctls_Progress32, xrefs: 007440E3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 027e147c606b81761712a7b95371a9a135db57a472c42edefc3c2eafbbdf9f08
Instruction ID: 42fb90c5941a3c0f80eb4c642c2e48051a2c61afdc8542114d8244000e5d4644
Opcode Fuzzy Hash: 027e147c606b81761712a7b95371a9a135db57a472c42edefc3c2eafbbdf9f08
Instruction Fuzzy Hash: 8B11B2B214021DBEEF119F64CC86EE77F9DEF09798F018111BA18A2050C7769C61DBA4

Function 006ED7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006ED7A3: _free.LIBCMT ref: 006ED7CC

_free.LIBCMT ref: 006ED82D

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006ED838
_free.LIBCMT ref: 006ED843
_free.LIBCMT ref: 006ED897
_free.LIBCMT ref: 006ED8A2
_free.LIBCMT ref: 006ED8AD
_free.LIBCMT ref: 006ED8B8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b941bb4c90bf183b418bef4db555d500211facf1544339635078ce54a5f8e861
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 63115171542B88AAD9A1BFB2CC47FCB7BDF6F00700F40082DB699AA093DA69F5054654

Function 0071DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0071DA74
LoadStringW.USER32(00000000), ref: 0071DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0071DA91
LoadStringW.USER32(00000000), ref: 0071DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0071DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0071DAB9

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: d7c614e53abe825bab9fc080f53110bc05b2933712a65d8ac716d321fb986356
Instruction ID: ce798c4c2fbfab8a1808cd29de22ad08b722ffb33bdd3586387161969f252312
Opcode Fuzzy Hash: d7c614e53abe825bab9fc080f53110bc05b2933712a65d8ac716d321fb986356
Instruction Fuzzy Hash: 940186F6500208BFE752DBA49D89EF7336CEB09701F4084A2B706E2081EB789E844F75

Function 0072096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(012CE258,012CE258), ref: 0072097B
EnterCriticalSection.KERNEL32(012CE238,00000000), ref: 0072098D
TerminateThread.KERNEL32(?,000001F6), ref: 0072099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 007209A9
CloseHandle.KERNEL32(?), ref: 007209B8
InterlockedExchange.KERNEL32(012CE258,000001F6), ref: 007209C8
LeaveCriticalSection.KERNEL32(012CE238), ref: 007209CF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 8f55d187642a7c6420c7717b94e82cba7afa682a82b809ec4aa8bbd0a28f59b5
Instruction ID: 2a6de8320286383b8b32855c127df87a8d4f3b104283865640e518b016f78b3f
Opcode Fuzzy Hash: 8f55d187642a7c6420c7717b94e82cba7afa682a82b809ec4aa8bbd0a28f59b5
Instruction Fuzzy Hash: C4F0E135543912BBD7925F94EE8DBD67B35FF06702F405016F102508A1C7B9A465CFA4

Function 00731C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00731DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00731DE1
WSAGetLastError.WSOCK32 ref: 00731DF2
htons.WSOCK32(?,?,?,?,?), ref: 00731EDB
inet_ntoa.WSOCK32(?), ref: 00731E8C

Part of subcall function 007139E8: _strlen.LIBCMT ref: 007139F2

Part of subcall function 00733224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0072EC0C), ref: 00733240

_strlen.LIBCMT ref: 00731F35

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 5fb97b1f8852ffcf54dacfc989f1993167424e29f2ac8bcf5c78475cce53504c
Instruction ID: 55b5474e2cead7d6bd17adbfcede6bddd49513f88f9efc0e1d7dd0b713bc75af
Opcode Fuzzy Hash: 5fb97b1f8852ffcf54dacfc989f1993167424e29f2ac8bcf5c78475cce53504c
Instruction Fuzzy Hash: 6EB1E071204301AFE324DF24C885E6A7BE6AF85318F94894CF4565B2E3CB75ED82CB91

Function 006B5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 006B5D30
GetWindowRect.USER32(?,?), ref: 006B5D71
ScreenToClient.USER32(?,?), ref: 006B5D99
GetClientRect.USER32(?,?), ref: 006B5ED7
GetWindowRect.USER32(?,?), ref: 006B5EF8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: bb77ed90203e03c4a0bbe4a08ccb385e992492fd4b26ac5e646c5fae80f5a044
Instruction ID: 84693a267d8dfc7b1dc4b331484ef2f4393f3d0bd3d314f7094f943318621689
Opcode Fuzzy Hash: bb77ed90203e03c4a0bbe4a08ccb385e992492fd4b26ac5e646c5fae80f5a044
Instruction Fuzzy Hash: D6B16A74A0064ADBDB10CFA8C4407FAB7F2FF48310F14851AE9AAD7650DB34EA92DB54

Function 006E01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006E00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006E00D6
__allrem.LIBCMT ref: 006E00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006E010B
__allrem.LIBCMT ref: 006E0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006E0140

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: b84babdb8ac1dcdb4c2b2f4ae3afd2fb6aa053fa908de7b5de01e4aed26f3574
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 0E81E772A027469BE720AF6ACC41BAB73EBAF41364F24453EF551DA3C1E7B0D9408794

Function 006E61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006D82D9,006D82D9,?,?,?,006E644F,00000001,00000001,8BE85006), ref: 006E6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006E644F,00000001,00000001,8BE85006,?,?,?), ref: 006E62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006E63D8
__freea.LIBCMT ref: 006E63E5

Part of subcall function 006E3820: RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

__freea.LIBCMT ref: 006E63EE
__freea.LIBCMT ref: 006E6413

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 44d59f4fbbb13c85331d06928b3373677f9a74f2de6e9e06db5ea3cfed145c08
Instruction ID: c1e4ff22871238eb0faffaedc4a24d895b99364bab1f10af799ac0f7e8ef96ac
Opcode Fuzzy Hash: 44d59f4fbbb13c85331d06928b3373677f9a74f2de6e9e06db5ea3cfed145c08
Instruction Fuzzy Hash: E751D172602396AFDB258F66CC81EEF77ABEB64790F144629F905D7280EB34DD40C660

Function 0073BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 0073C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073C9F1
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA68
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0073BD25
RegCloseKey.ADVAPI32(00000000), ref: 0073BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0073BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0073BDF3
RegCloseKey.ADVAPI32(?), ref: 0073BDFF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: e6d39baae74005eca37b3343499af9faebc5e2f6ffaa341a965cba6d8d74fb29
Instruction ID: 7603cc30749d086f830eaa1ee58943a5a354e63c9ddc498824e4688574e3613b
Opcode Fuzzy Hash: e6d39baae74005eca37b3343499af9faebc5e2f6ffaa341a965cba6d8d74fb29
Instruction Fuzzy Hash: D481F170218241EFE714DF24C881E6ABBE5FF84308F14885DF55A4B2A2DB36ED45CB92

Function 0070F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0070F7B9
SysAllocString.OLEAUT32(00000001), ref: 0070F860
VariantCopy.OLEAUT32(0070FA64,00000000), ref: 0070F889
VariantClear.OLEAUT32(0070FA64), ref: 0070F8AD
VariantCopy.OLEAUT32(0070FA64,00000000), ref: 0070F8B1
VariantClear.OLEAUT32(?), ref: 0070F8BB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e333edb1dc24c45d159cd75fa2df95f9b95f102e3245f52b17af585b6e68199c
Instruction ID: e210fc634b9b96329e3cd2bfb73bc1c9cdd56f43b3ccd051ea9f771fc26badd5
Opcode Fuzzy Hash: e333edb1dc24c45d159cd75fa2df95f9b95f102e3245f52b17af585b6e68199c
Instruction Fuzzy Hash: 91513731611300FACF70AF65D885B69B3E5EF45310B20952BE802DF6D1DB789C40CBAA

Function 0072910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 006B7620: _wcslen.LIBCMT ref: 006B7625

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 007294E5
_wcslen.LIBCMT ref: 00729506
_wcslen.LIBCMT ref: 0072952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00729585

Strings

X, xrefs: 00729412

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 26c61acb031d51ae115bece0b6da68a7f8232e918e7d1504a5b2d5189fb186d6
Instruction ID: 6f41b2d6e96fcfa11a06b79445ca2861b5d300fd4248b448c738d9d6612184dd
Opcode Fuzzy Hash: 26c61acb031d51ae115bece0b6da68a7f8232e918e7d1504a5b2d5189fb186d6
Instruction Fuzzy Hash: D6E1D171604350DFD764EF24D881AAAB7E1FF84310F08896DF9899B2A2DB34DD44CB96

Function 006C920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

BeginPaint.USER32(?,?,?), ref: 006C9241
GetWindowRect.USER32(?,?), ref: 006C92A5
ScreenToClient.USER32(?,?), ref: 006C92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006C92D3
EndPaint.USER32(?,?,?,?,?), ref: 006C9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007071EA

Part of subcall function 006C9339: BeginPath.GDI32(00000000), ref: 006C9357

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 5e9eba9e7093073b8a02b1592cbfd562eb5b55796f845ef9bb7384b2decbd3cd
Instruction ID: 6f642cb45c87de5122a1f3971705ab3c4797cfa8905868996e1c7dad3602be8f
Opcode Fuzzy Hash: 5e9eba9e7093073b8a02b1592cbfd562eb5b55796f845ef9bb7384b2decbd3cd
Instruction Fuzzy Hash: DE41AC70105240EFD711DF24CC88FBA7BE9EB8A320F14466DF994872E1C739A846DB66

Function 007207EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0072080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00720847
EnterCriticalSection.KERNEL32(?), ref: 00720863
LeaveCriticalSection.KERNEL32(?), ref: 007208DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007208F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00720921

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: b1d4346d18990d6f17ffc62fcac8d41e1edf018412238f01925a16a808332241
Instruction ID: aebd1f3e1dbe023c72f9e71f2d93b7fa8ccfb138f4992965e0898360d4046a46
Opcode Fuzzy Hash: b1d4346d18990d6f17ffc62fcac8d41e1edf018412238f01925a16a808332241
Instruction Fuzzy Hash: CF41AD71900205EFDF55AF54DC85A6A77BAFF04300F1080A9ED009A297DB74EE60DBA8

Function 007481DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0070F3AB,00000000,?,?,00000000,?,0070682C,00000004,00000000,00000000), ref: 0074824C
EnableWindow.USER32(?,00000000), ref: 00748272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007482D1
ShowWindow.USER32(?,00000004), ref: 007482E5
EnableWindow.USER32(?,00000001), ref: 0074830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0074832F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e3874f482160d7ade33daf27a04f6d469f9dc294ef94cdc6f7ca8b768f89a61f
Instruction ID: 3e7c3e8a31130ae500826585f7cd0066e8f65c822e1568092624ca3995a0a736
Opcode Fuzzy Hash: e3874f482160d7ade33daf27a04f6d469f9dc294ef94cdc6f7ca8b768f89a61f
Instruction Fuzzy Hash: FA41C634601648EFDB52CF14C899BEC7BE0FB0A714F1882A9E5184F272CB79AC41CB56

Function 00714C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00714C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00714CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00714CEA
_wcslen.LIBCMT ref: 00714D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00714D10
_wcsstr.LIBVCRUNTIME ref: 00714D1A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 0124cd0ee0129f995b98204caa55d3c0498679507659e17e0ebba13b5c2ef28a
Instruction ID: f93f564bdec42050b3f7f4b2d24d43adbb0666a141874104708d831fbc3b0179
Opcode Fuzzy Hash: 0124cd0ee0129f995b98204caa55d3c0498679507659e17e0ebba13b5c2ef28a
Instruction Fuzzy Hash: BA212976605200BBEB555B39EC09EBB7B9DDF46750F10C06EF905CA1D2EF69CC4092A0

Function 0072581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 006B3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006B3A97,?,?,006B2E7F,?,?,?,00000000), ref: 006B3AC2

_wcslen.LIBCMT ref: 0072587B
CoInitialize.OLE32(00000000), ref: 00725995
CoCreateInstance.OLE32(0074FCF8,00000000,00000001,0074FB68,?), ref: 007259AE
CoUninitialize.OLE32 ref: 007259CC

Strings

.lnk, xrefs: 00725876, 007258C1, 00725985

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 87741839ce5985d0cdb342e178e55d83b759cd297f13510d0c004787984755fd
Instruction ID: dca79d87dc8c4c642d36b417e42a6891f4b8f55a3adc902240639268099bd92b
Opcode Fuzzy Hash: 87741839ce5985d0cdb342e178e55d83b759cd297f13510d0c004787984755fd
Instruction Fuzzy Hash: 4BD163B16047219FC714DF24D484A6ABBE6EF89310F14885DF8899B361DB35EC85CB92

Function 0071175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00710FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00710FCA
Part of subcall function 00710FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00710FD6
Part of subcall function 00710FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00710FE5
Part of subcall function 00710FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00710FEC
Part of subcall function 00710FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00711002

GetLengthSid.ADVAPI32(?,00000000,00711335), ref: 007117AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007117BA
HeapAlloc.KERNEL32(00000000), ref: 007117C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007117DA
GetProcessHeap.KERNEL32(00000000,00000000,00711335), ref: 007117EE
HeapFree.KERNEL32(00000000), ref: 007117F5

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 312eaf2065618c90114b61c5a40ee07f35802a60ab284a3f72fc516c7ccda25b
Instruction ID: 157ac32ac2aa87c65c3abe0a7c54d3a9a07c5d6fdf8c05a46b2dd33e1995af7a
Opcode Fuzzy Hash: 312eaf2065618c90114b61c5a40ee07f35802a60ab284a3f72fc516c7ccda25b
Instruction Fuzzy Hash: 9211BE75502209FFDB119FA8CC49BEE7BA9EB42355F508019F541AB290D739AD80CB60

Function 007114CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007114FF
OpenProcessToken.ADVAPI32(00000000), ref: 00711506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00711515
CloseHandle.KERNEL32(00000004), ref: 00711520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0071154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00711563

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 87d1abaee8fdc496b7158e31eac1684735dfba70abf9b0b956c8aace191f6896
Instruction ID: df46bb4c941551ac9692039af2ebd65d15e797b23fe7742506265aeb0055a1b4
Opcode Fuzzy Hash: 87d1abaee8fdc496b7158e31eac1684735dfba70abf9b0b956c8aace191f6896
Instruction Fuzzy Hash: DA115976602249ABDF128F98DD49BDE7BA9EF49704F048015FE05A60A0C3798EA0DB61

Function 006D3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006D3379,006D2FE5), ref: 006D3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006D339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006D33B7
SetLastError.KERNEL32(00000000,?,006D3379,006D2FE5), ref: 006D3409

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a0880842e6f88d1e2743059500a8b5246a2c7080d4f227331ab933b658d97946
Instruction ID: 861ed255a4c90b27c9c1b4a5aedbd35e18eb84bef24797c7dfad35e5995e64ad
Opcode Fuzzy Hash: a0880842e6f88d1e2743059500a8b5246a2c7080d4f227331ab933b658d97946
Instruction Fuzzy Hash: ED012832E09371BFA6562B757C855962A96EB193B5320422FF410843F0EF154D02918E

Function 006E2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,006E5686,006F3CD6,?,00000000,?,006E5B6A,?,?,?,?,?,006DE6D1,?,00778A48), ref: 006E2D78
_free.LIBCMT ref: 006E2DAB
_free.LIBCMT ref: 006E2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,006DE6D1,?,00778A48,00000010,006B4F4A,?,?,00000000,006F3CD6), ref: 006E2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,006DE6D1,?,00778A48,00000010,006B4F4A,?,?,00000000,006F3CD6), ref: 006E2DEC
_abort.LIBCMT ref: 006E2DF2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 0958e86a9e7cdc24263057238549a68063e658e2246cfc6bb3987ee96270089f
Instruction ID: f7ceb0d60cbb0a733e9efffc7ec4bf03abe61a746bf0d2081ec287a48b9f073c
Opcode Fuzzy Hash: 0958e86a9e7cdc24263057238549a68063e658e2246cfc6bb3987ee96270089f
Instruction Fuzzy Hash: 4FF0F93550778227C29327376C2BA5A165FAFC2BA0F21841DF624D22D2EF2888014169

Function 00748A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006C9693
Part of subcall function 006C9639: SelectObject.GDI32(?,00000000), ref: 006C96A2
Part of subcall function 006C9639: BeginPath.GDI32(?), ref: 006C96B9
Part of subcall function 006C9639: SelectObject.GDI32(?,00000000), ref: 006C96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00748A4E
LineTo.GDI32(?,00000003,00000000), ref: 00748A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00748A70
LineTo.GDI32(?,00000000,00000003), ref: 00748A80
EndPath.GDI32(?), ref: 00748A90
StrokePath.GDI32(?), ref: 00748AA0

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: be62455d2f79a24395ea614d48d35bd4d85df327a135e8c58656ec17def80065
Instruction ID: f61082fa166856ab39b7be288f33a24ae669de3300d189de810b2614955ae3cb
Opcode Fuzzy Hash: be62455d2f79a24395ea614d48d35bd4d85df327a135e8c58656ec17def80065
Instruction Fuzzy Hash: FA11057604114CFFEB129F90DC88EAA7F6DEB09350F04C022FA199A1B1C775AD55DBA4

Function 007151FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00715218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00715229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00715230
ReleaseDC.USER32(00000000,00000000), ref: 00715238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0071524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00715261

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 598699b9638e65f9d7880ca2bbecf23f43af97701cf47b0f779e703f974964ae
Instruction ID: 8eb2eaccffbec0a432611db6cb2d0a765d0c3f69dca4e6be3741e21e2a71cd30
Opcode Fuzzy Hash: 598699b9638e65f9d7880ca2bbecf23f43af97701cf47b0f779e703f974964ae
Instruction Fuzzy Hash: E7018FB5A01708FBEB119BA59C49A4EBFB8FB49351F048066FA04A7290D7749800CBA5

Function 006B1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 006B1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 006B1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 006B1C22

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 12855113abd4c554237314376d9ebb7e576b77fb06fb431aa8275de5fa5bebeb
Instruction ID: 6f3027d95448e41e70f1df62d51112f8eaccce9cb737411c69673f422667e316
Opcode Fuzzy Hash: 12855113abd4c554237314376d9ebb7e576b77fb06fb431aa8275de5fa5bebeb
Instruction Fuzzy Hash: 740167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CFE5

Function 0071EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0071EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0071EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0071EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0071EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0071EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0071EB75

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 34488d0709ef32daa8f881cdcbd49213602b5595903d52dda56c51346b94e6c6
Instruction ID: e6c1432c9ac560d9b28f4a94b95632ca2ceba8d0e53da876a503acd1e9313379
Opcode Fuzzy Hash: 34488d0709ef32daa8f881cdcbd49213602b5595903d52dda56c51346b94e6c6
Instruction Fuzzy Hash: 37F0B4B6202158BBE7225B529C0EEEF3E7CEFCBB11F00815AF601D1090D7A81A01C6B9

Function 00707439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00707452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00707469
GetWindowDC.USER32(?), ref: 00707475
GetPixel.GDI32(00000000,?,?), ref: 00707484
ReleaseDC.USER32(?,00000000), ref: 00707496
GetSysColor.USER32(00000005), ref: 007074B0

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 6e9ffd27583694c0dbf1f0042d55eab5f12c9b3e319403b5ae7b05710168de0f
Instruction ID: ec4b305b8132f7d29e81a4e0049183e0ddfa230e0a27932789db85ad9c0324d7
Opcode Fuzzy Hash: 6e9ffd27583694c0dbf1f0042d55eab5f12c9b3e319403b5ae7b05710168de0f
Instruction Fuzzy Hash: 9101AD35801205FFDB925FA4DC08BAE7BB5FF05311F618165F915A20E1CB392E51EB19

Function 00711874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0071187F
UnloadUserProfile.USERENV(?,?), ref: 0071188B
CloseHandle.KERNEL32(?), ref: 00711894
CloseHandle.KERNEL32(?), ref: 0071189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007118A5
HeapFree.KERNEL32(00000000), ref: 007118AC

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ccdfdcc4665a9fbbd823f151f48db67e56d9123de3676405e115bae90e3ba281
Instruction ID: 76be0479996f9f7d3e0e95e8dba084f90a90909402857d348f8e29548dd1148b
Opcode Fuzzy Hash: ccdfdcc4665a9fbbd823f151f48db67e56d9123de3676405e115bae90e3ba281
Instruction Fuzzy Hash: 74E0E57A206105BBDB425FA1ED0C90ABF39FF4AB22B10C222F22581070CB369820DF58

Function 006BBBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006BBEB3

Strings

D%x, xrefs: 006BBE9A
D%x, xrefs: 006BBDED, 006BBD91, 006BBD1B
D%x, xrefs: 006BBCA2
D%xD%x, xrefs: 006BBCA5

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%x$D%x$D%x$D%xD%x
API String ID: 1385522511-2836779441
Opcode ID: bec86df1a508cb279ca76cf89fa21a257fae3202d1417faccef804b932de1330
Instruction ID: 8344bc8041d6e6812edf2aa23ce39e651316c0db78fa2ceb5f9aa6c39a9f378d
Opcode Fuzzy Hash: bec86df1a508cb279ca76cf89fa21a257fae3202d1417faccef804b932de1330
Instruction Fuzzy Hash: C49149B5A0020ACFCB18CF59C4916E9BBF2FF58310F24916AD945AB351D7B5ED82CB90

Function 00737B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 006D0242: EnterCriticalSection.KERNEL32(0078070C,00781884,?,?,006C198B,00782518,?,?,?,006B12F9,00000000), ref: 006D024D
Part of subcall function 006D0242: LeaveCriticalSection.KERNEL32(0078070C,?,006C198B,00782518,?,?,?,006B12F9,00000000), ref: 006D028A

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 006D00A3: __onexit.LIBCMT ref: 006D00A9

__Init_thread_footer.LIBCMT ref: 00737BFB

Part of subcall function 006D01F8: EnterCriticalSection.KERNEL32(0078070C,?,?,006C8747,00782514), ref: 006D0202
Part of subcall function 006D01F8: LeaveCriticalSection.KERNEL32(0078070C,?,006C8747,00782514), ref: 006D0235

Strings

+Tp, xrefs: 00737E2E
G, xrefs: 00737C7F
Variable must be of type 'Object'., xrefs: 00737C3A
5, xrefs: 00737C78

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tp$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1816105312
Opcode ID: befcfe2c1a567dc5632c65e5cdf16d49e7748d6b575355b503bd5bd56c74d66e
Instruction ID: 2759620fef11465a9f61b4c9294c23489362dce0d80e9d9e707c09c155e6b70e
Opcode Fuzzy Hash: befcfe2c1a567dc5632c65e5cdf16d49e7748d6b575355b503bd5bd56c74d66e
Instruction Fuzzy Hash: 99915DB0A04209EFDB28EF94D8959BDB7B6FF45300F10805DF8065B292DB79AE41CB51

Function 0071C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B7620: _wcslen.LIBCMT ref: 006B7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0071C6EE
_wcslen.LIBCMT ref: 0071C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0071C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0071C7CA

Strings

0, xrefs: 0071C6AF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 7bcf309a9ebb12fb68e11c3d96be733cd739732e1a015fb25e1492b8b2494d32
Instruction ID: 04c4500989ee233b4dd653e62cff5f977e30c9a6a84ac3ff2bc3114d03f135d0
Opcode Fuzzy Hash: 7bcf309a9ebb12fb68e11c3d96be733cd739732e1a015fb25e1492b8b2494d32
Instruction Fuzzy Hash: B051DF716843409BD752AFACC885BFBB7E8AF49310F040A2DF995D31D0DBA8D884CB56

Function 0073AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0073AEA3

Part of subcall function 006B7620: _wcslen.LIBCMT ref: 006B7625

GetProcessId.KERNEL32(00000000), ref: 0073AF38
CloseHandle.KERNEL32(00000000), ref: 0073AF67

Strings

<, xrefs: 0073AE6B
@, xrefs: 0073AE72

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: b82eab31b0e2213061a6881b30d9c6d53ffdc4192f3994581820aa757c33069d
Instruction ID: c42105cfeff3aa338a5c90698019a42c3984db49bedbf6e538c2053f52c4659a
Opcode Fuzzy Hash: b82eab31b0e2213061a6881b30d9c6d53ffdc4192f3994581820aa757c33069d
Instruction Fuzzy Hash: 74715871A00215EFDB14DF54C486A9EBBF1AF08310F04849DE856AB3A2DB79ED81CB95

Function 0071719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00717206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0071723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0071724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007172CF

Strings

DllGetClassObject, xrefs: 00717242

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 777215d2de8360c74617dc342f46523331b955ef0aca23300bf4b7ac16a64804
Instruction ID: 1858592394b807712952d8255fe48720fac197c8a5322893ebfa2a247aaf6574
Opcode Fuzzy Hash: 777215d2de8360c74617dc342f46523331b955ef0aca23300bf4b7ac16a64804
Instruction Fuzzy Hash: F84162B1604204DFDB19CF58C884ADA7BB9FF49310F1480ADBD059F24AD7B9D985DBA0

Function 00743D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00743E35
IsMenu.USER32(?), ref: 00743E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00743E92
DrawMenuBar.USER32 ref: 00743EA5

Strings

0, xrefs: 00743D89

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 0624662c9fe82bf1e8b6d162c0a5ed5280429e18fc6afddde1da2f574f7ab36f
Instruction ID: b66054be13e13af7f49af586427ced02d00f172b4290daec97f14f6a08f9bee3
Opcode Fuzzy Hash: 0624662c9fe82bf1e8b6d162c0a5ed5280429e18fc6afddde1da2f574f7ab36f
Instruction Fuzzy Hash: 30418974A02219EFDB10DF50D880EEABBB9FF49350F148029F819A7250D338AE51CF60

Function 00711DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00711E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00711E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00711EA9

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

Strings

ComboBox, xrefs: 00711DF0
ListBox, xrefs: 00711E25

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: e2b403b39db0a9140a9c5bdf479875ca482bb9c50fb0ff0df975abae06a58bc0
Instruction ID: 386883bbdba43a17de32ae681e5aab5d71501ad25c161c17479d8990c576e159
Opcode Fuzzy Hash: e2b403b39db0a9140a9c5bdf479875ca482bb9c50fb0ff0df975abae06a58bc0
Instruction Fuzzy Hash: 832137B1A00104BADB14ABA8CC45CFFB7B9DF46350B54851DF925A71E1DB3C49898730

Function 00742F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00742F8D
LoadLibraryW.KERNEL32(?), ref: 00742F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00742FA9
DestroyWindow.USER32(?), ref: 00742FB1

Strings

SysAnimate32, xrefs: 00742F68

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 1fc89bc7832817a6b94e59ee7531ee7b9ab25c8d2e74fa47e2bccb1666c4dd34
Instruction ID: 442e50befd009e8f3a2e5f38b8958c93deca049740b5e6055f7e7ac962712598
Opcode Fuzzy Hash: 1fc89bc7832817a6b94e59ee7531ee7b9ab25c8d2e74fa47e2bccb1666c4dd34
Instruction Fuzzy Hash: 5D21FD71200209ABEF118F64DC80EBB37BDEB59364FD08619FA10D20A2C379DCA69764

Function 006D4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006D4D1E,006E28E9,?,006D4CBE,006E28E9,007788B8,0000000C,006D4E15,006E28E9,00000002), ref: 006D4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006D4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,006D4D1E,006E28E9,?,006D4CBE,006E28E9,007788B8,0000000C,006D4E15,006E28E9,00000002,00000000), ref: 006D4DC3

Strings

mscoree.dll, xrefs: 006D4D86
CorExitProcess, xrefs: 006D4D98

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: dbd02a2e27da07148e97ee35bf77b80061f8bd975e8d60e9e80909057654fe45
Instruction ID: 7ff035dbe406c4bd6eee74a2ca349491fd4d1275202220fe76c52461039eab69
Opcode Fuzzy Hash: dbd02a2e27da07148e97ee35bf77b80061f8bd975e8d60e9e80909057654fe45
Instruction Fuzzy Hash: B0F0A434901208BBDB515F90DC09BDDBFB6EF09752F04409AF805A2350DF745D40CAD4

Function 0070D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0070D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0070D3BF
FreeLibrary.KERNEL32(00000000), ref: 0070D3E5

Strings

X64, xrefs: 0070D2A8
GetSystemWow64DirectoryW, xrefs: 0070D3B9

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: f05d742c8416aae263b864c4b924f13be8b812acc00d024824a9fe28b9830367
Instruction ID: 5247d4b4d654eb4d7a004b1aca4ea2c79b05ebecf80c9615db9741e627a0b6a8
Opcode Fuzzy Hash: f05d742c8416aae263b864c4b924f13be8b812acc00d024824a9fe28b9830367
Instruction Fuzzy Hash: AFF05CB5402710DBD77617948C08E29F796BF02701B54C36AF401E10C4D72CCD40C787

Function 006B4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006B4EDD,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 006B4EAE
FreeLibrary.KERNEL32(00000000,?,?,006B4EDD,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4EC0

Strings

kernel32.dll, xrefs: 006B4E94
Wow64DisableWow64FsRedirection, xrefs: 006B4EA8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 1a3f88c2656a9d70af82ffb25f0ef8bec280c4f4d4086c8d59cc5ad5768df5fd
Instruction ID: fc77306ef960486453f42d937e218fd9a3fb4b33c1fbf2ff624b0c5a8eac14c4
Opcode Fuzzy Hash: 1a3f88c2656a9d70af82ffb25f0ef8bec280c4f4d4086c8d59cc5ad5768df5fd
Instruction Fuzzy Hash: 89E0CDF9A036225BD27317296C18BDF6955AF83F627054116FC04D2302DF68CD42C6A5

Function 006B4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,006F3CDE,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 006B4E74
FreeLibrary.KERNEL32(00000000,?,?,006F3CDE,?,00781418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 006B4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 006B4E6E
kernel32.dll, xrefs: 006B4E5B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 46b33b0f94231595d832cf4f35b5ab519fd79d5f6b3a73b37cada2594daf34de
Instruction ID: 596535d7796003a8b6776993995481ef4151b82afefa9381e106f91e02e3ee3b
Opcode Fuzzy Hash: 46b33b0f94231595d832cf4f35b5ab519fd79d5f6b3a73b37cada2594daf34de
Instruction Fuzzy Hash: EAD0C2F9503A21574A631B246C08DCB2B1AAF83B513058112B804A2211CF28CD42C6E4

Function 00722947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00722C05
DeleteFileW.KERNEL32(?), ref: 00722C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00722C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00722CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00722CC0

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: d0fb08cc3561525a476df937d898c14664b63445d99249f52534b62f1e83991f
Instruction ID: 213892372d10109c70462af8e007599e21a1790e2a5604d03e8dfcfec13fc0da
Opcode Fuzzy Hash: d0fb08cc3561525a476df937d898c14664b63445d99249f52534b62f1e83991f
Instruction Fuzzy Hash: 4AB16FB1D00129ABDF11EFA4DC85EDE777DEF09340F1040AAF509E6142EA34DA458F65

Function 0073A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0073A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0073A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0073A468
CloseHandle.KERNEL32(?), ref: 0073A63D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 60fdc9fa88683b8280861ef97ce4da3627572e359e241165f2faac0ef9089028
Instruction ID: 3ee6ed62504224f779fa3485c42c93d3389d50d45182a9a8a512af251e8b800b
Opcode Fuzzy Hash: 60fdc9fa88683b8280861ef97ce4da3627572e359e241165f2faac0ef9089028
Instruction Fuzzy Hash: 16A1B5B1604300AFE760DF14C886F2AB7E6AF84714F14885DF5999B2D2D774EC41CB56

Function 006EBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00753700), ref: 006EBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0078121C,000000FF,00000000,0000003F,00000000,?,?), ref: 006EBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00781270,000000FF,?,0000003F,00000000,?), ref: 006EBC36
_free.LIBCMT ref: 006EBB7F

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006EBD4B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: fa2bdb43a2f3777bbf13d1f8b849365e699125735d3878e8f2d7976a3075321a
Instruction ID: a05820e634e6d58b209aed1c6c15eccf075ec85c586c158ea9ac5412647f7278
Opcode Fuzzy Hash: fa2bdb43a2f3777bbf13d1f8b849365e699125735d3878e8f2d7976a3075321a
Instruction Fuzzy Hash: 0D514A71905349AFCB10EF669C819AFB7BEFF44720F20526EE414D7291EB305D428B58

Function 0071E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0071DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0071CF22,?), ref: 0071DDFD

Part of subcall function 0071DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0071CF22,?), ref: 0071DE16

Part of subcall function 0071E199: GetFileAttributesW.KERNEL32(?,0071CF95), ref: 0071E19A

lstrcmpiW.KERNEL32(?,?), ref: 0071E473
MoveFileW.KERNEL32(?,?), ref: 0071E4AC
_wcslen.LIBCMT ref: 0071E5EB
_wcslen.LIBCMT ref: 0071E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0071E650

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 95c56fba731ef6871bcff1e073419c294a8f40766a6879a5cb28351a62c17744
Instruction ID: 34c9c94c1972701465eec5848ed6b468489f8e433523ea0f8b6bc62672377e9b
Opcode Fuzzy Hash: 95c56fba731ef6871bcff1e073419c294a8f40766a6879a5cb28351a62c17744
Instruction Fuzzy Hash: 545186B24083859BC764DB94DC819DF73EDAF85340F00491EFA89D3191EF78A6C8876A

Function 0073B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 0073C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0073B6AE,?,?), ref: 0073C9B5
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073C9F1
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA68
Part of subcall function 0073C998: _wcslen.LIBCMT ref: 0073CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0073BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0073BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0073BB63
RegCloseKey.ADVAPI32(?,?), ref: 0073BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0073BBB3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 7bda5d526520b96624186cb0cdb0c64bb94103c94139fe4abcbe19865cfe4578
Instruction ID: fdce111611c152a2fcf94fe7f52ed0dc201ab050b3855421713a6a11201d9f30
Opcode Fuzzy Hash: 7bda5d526520b96624186cb0cdb0c64bb94103c94139fe4abcbe19865cfe4578
Instruction Fuzzy Hash: B361C471208241EFD314DF24C890E6ABBE5FF84308F14895DF5998B2A2DB35ED45CB92

Function 00718BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00718BCD
VariantClear.OLEAUT32 ref: 00718C3E
VariantClear.OLEAUT32 ref: 00718C9D
VariantClear.OLEAUT32(?), ref: 00718D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00718D3B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 57bde3719e8a9258cb7135ae8db2f88a568bfaafe5f744503963a7762feb2f67
Instruction ID: eea85814399677317c95e00c4c85b77cfa12bfc72871267bea9635e6e22f0d3d
Opcode Fuzzy Hash: 57bde3719e8a9258cb7135ae8db2f88a568bfaafe5f744503963a7762feb2f67
Instruction Fuzzy Hash: 4B5169B5A00219EFCB10CF68D884AAABBF8FF8D310B158559E955DB350E734E911CFA0

Function 00728AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00728BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00728BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00728C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00728C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00728C5F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 9e0cd556795cd130da5d42f7da56fbf8a20710bda4733fc8cbface5edc945dc6
Instruction ID: 50d4e57368dc1d22b9da7e19b7c99ad0e0f2a5f2c0704202b0ea81a9a08ec641
Opcode Fuzzy Hash: 9e0cd556795cd130da5d42f7da56fbf8a20710bda4733fc8cbface5edc945dc6
Instruction Fuzzy Hash: B6517175A002149FCB51DF54C881EADBBF6FF49314F048098E8096B362CB35ED81CBA5

Function 00738EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00738F40
GetProcAddress.KERNEL32(00000000,?), ref: 00738FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00738FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00739032
FreeLibrary.KERNEL32(00000000), ref: 00739052

Part of subcall function 006CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00721043,?,75C0E610), ref: 006CF6E6
Part of subcall function 006CF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0070FA64,00000000,00000000,?,?,00721043,?,75C0E610,?,0070FA64), ref: 006CF70D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 6cdcbdab693a62ba77ee38a700940fde56f0da770c812dde0546f292c0bba06b
Instruction ID: f369c249f6d906165d22d76751429005a844075a5f08b8c0bc40f044eec99cbb
Opcode Fuzzy Hash: 6cdcbdab693a62ba77ee38a700940fde56f0da770c812dde0546f292c0bba06b
Instruction Fuzzy Hash: A7517B75600206DFDB55DF58C4848ADBBF2FF49314F088099E90AAB362CB35ED85CB91

Function 00746B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00746C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00746C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00746C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0072AB79,00000000,00000000), ref: 00746C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00746CC7

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: af5558983527de95431cac247b03bae3673afc70850da1c96301cbcae2d18a7f
Instruction ID: f029e72f9c228fcbda1d6cddc7e8d0d6f6f7c2a8431eecd4299fa2acccf9f432
Opcode Fuzzy Hash: af5558983527de95431cac247b03bae3673afc70850da1c96301cbcae2d18a7f
Instruction Fuzzy Hash: 1041F379A00104AFDB25CF68CC98FB97BA5EB0B350F154269F895A72E0C379FD41CA61

Function 006E2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006E20C3
_free.LIBCMT ref: 006E20E3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 11bf19b88d5cbcc9833b1417cf3bfb46ed6f406dd6ebfb3a5b2551bce9344506
Instruction ID: 1418232ffce5514f6fb0733d4a5365b5bf1cded4cfe807460adf29fd4fec6519
Opcode Fuzzy Hash: 11bf19b88d5cbcc9833b1417cf3bfb46ed6f406dd6ebfb3a5b2551bce9344506
Instruction Fuzzy Hash: 3141E672A013019FCB24DF79C891A9EB3ABEF89314F15856DE615EB392D631ED01CB80

Function 006C912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006C9141
ScreenToClient.USER32(00000000,?), ref: 006C915E
GetAsyncKeyState.USER32(00000001), ref: 006C9183
GetAsyncKeyState.USER32(00000002), ref: 006C919D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c69600f1628f06f0842134b7082da4e0be130debec463e06ede6fce267daa19f
Instruction ID: b16b1ad9e57b24cd739bc12ae2227933c69d554729f41a7b1ce4aed56f9e4f6b
Opcode Fuzzy Hash: c69600f1628f06f0842134b7082da4e0be130debec463e06ede6fce267daa19f
Instruction Fuzzy Hash: A7416031A0850AFBDF199F64C849BFEB7B5FB45324F248319E425A72D0C7346951CBA1

Function 00723874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007238CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00723922
TranslateMessage.USER32(?), ref: 0072394B
DispatchMessageW.USER32(?), ref: 00723955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00723966

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b854396055c8f4627f605822a8b12c823431a24d6ec19dc6da56405aacea8823
Instruction ID: e4edc1f8cc2265a2164d28dfc30c971355ceb92ee8ae11d322b0a5d8b81cf890
Opcode Fuzzy Hash: b854396055c8f4627f605822a8b12c823431a24d6ec19dc6da56405aacea8823
Instruction Fuzzy Hash: E531F7709443619FEB35CB34A809BB637A8EB06308F54456DE4A6C64A0E3BCB6C5CB25

Function 0072CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0072C21E,00000000), ref: 0072CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0072CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0072C21E,00000000), ref: 0072CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0072C21E,00000000), ref: 0072CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0072C21E,00000000), ref: 0072CFF2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 47035de3aaabd1288aeea8db81285b91e3f01f50b9aafd4fa01ffc6be9f71aab
Instruction ID: 26b6400972e95e425312947ce96dbc63e99cacd88f345c3eac8bf90358700b57
Opcode Fuzzy Hash: 47035de3aaabd1288aeea8db81285b91e3f01f50b9aafd4fa01ffc6be9f71aab
Instruction Fuzzy Hash: 1C318272500615EFDB21DFA5D984EAFBBFAEF24350B10442EF516D2150D738AE40DB60

Function 00711901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00711915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007119C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007119C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007119DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007119E2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f61a0b41804bb99035da28662ea3037ac0eab8e8e5440fe21de65d10e4db26a7
Instruction ID: 146de3bcf6e11de3bae484fc07a66131f5d69665307c17621593a58e0062cb79
Opcode Fuzzy Hash: f61a0b41804bb99035da28662ea3037ac0eab8e8e5440fe21de65d10e4db26a7
Instruction Fuzzy Hash: 3B31C275900259EFCB00CFACCD99ADE3BB5EB05315F108265FA21AB2D1C774AD84CB91

Function 00745706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00745745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0074579D
_wcslen.LIBCMT ref: 007457AF
_wcslen.LIBCMT ref: 007457BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00745816

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 40d2c6316edf586c2053daf3db2a5e9dee3310292d08abb660fbb2868d0b05e4
Instruction ID: d177e5430dc3ca13773a0dcec97d39288ee42fe04728f3a90084d18b846ccba0
Opcode Fuzzy Hash: 40d2c6316edf586c2053daf3db2a5e9dee3310292d08abb660fbb2868d0b05e4
Instruction Fuzzy Hash: 2421A275904618DBDB219FA4CC85EEE7BB8FF05320F108266E929EA181D7789985CF50

Function 00730930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00730951
GetForegroundWindow.USER32 ref: 00730968
GetDC.USER32(00000000), ref: 007309A4
GetPixel.GDI32(00000000,?,00000003), ref: 007309B0
ReleaseDC.USER32(00000000,00000003), ref: 007309E8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 930c8c976e3a564360d3ee0836216de9a8551f9248e7fe5b0ec8e75b4c6ac381
Instruction ID: 3bfb8f25cf43b3d62203eec0d2d5e7f838ae29df45f188558f4fde388b54181c
Opcode Fuzzy Hash: 930c8c976e3a564360d3ee0836216de9a8551f9248e7fe5b0ec8e75b4c6ac381
Instruction Fuzzy Hash: 5921CF79A00214AFD740EF64D888AAEBBE9FF45300F00C06DF84A97362CB34AD00CB90

Function 006ECDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 006ECDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006ECDE9

Part of subcall function 006E3820: RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006ECE0F
_free.LIBCMT ref: 006ECE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006ECE31

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 8c6cd9936f66ec0bde120209e38456b64ee7c1b43394ebe48f8301c32a66d371
Instruction ID: 61717ae670554eeda2cb3afd77ca59f8da6a846f13c00a8e7d83b15018989a63
Opcode Fuzzy Hash: 8c6cd9936f66ec0bde120209e38456b64ee7c1b43394ebe48f8301c32a66d371
Instruction Fuzzy Hash: 1101D8726033957F63211A7B6C4CC7B696EDEC7BB1315412EF905D7201DB658D0381B4

Function 006C9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006C9693
SelectObject.GDI32(?,00000000), ref: 006C96A2
BeginPath.GDI32(?), ref: 006C96B9
SelectObject.GDI32(?,00000000), ref: 006C96E2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: cee8103daf21ea5ba78b64f3382920c86b1263f059fe675848c316ab06972714
Instruction ID: 5abb12ed551bc47c636b3c7c717fe0cd8ebaf5fdfaf619e07117c28f43fe06c5
Opcode Fuzzy Hash: cee8103daf21ea5ba78b64f3382920c86b1263f059fe675848c316ab06972714
Instruction Fuzzy Hash: E3218670842345DBEB119F55DC08BF97BA9FB01315F60821AF410A62F0D3786852CBA8

Function 00715711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00715726
_memcmp.LIBVCRUNTIME ref: 00715744
_memcmp.LIBVCRUNTIME ref: 00715757
_memcmp.LIBVCRUNTIME ref: 0071576F
_memcmp.LIBVCRUNTIME ref: 00715787

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 7ab7fd6ac08f8311b8180a37ef912e1ee214f58f98ce14496f9f7215d2a93393
Instruction ID: 8449cfd6c21f9e1abce3d6d5fc49bd985ff044b7a3335d93eaba23aba1360567
Opcode Fuzzy Hash: 7ab7fd6ac08f8311b8180a37ef912e1ee214f58f98ce14496f9f7215d2a93393
Instruction Fuzzy Hash: CF0192A5641A09FAE34C55289D93EFA635D9BA23A4B004025FD049E2C2FB68ED50C6B4

Function 006E2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,006DF2DE,006E3863,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6), ref: 006E2DFD
_free.LIBCMT ref: 006E2E32
_free.LIBCMT ref: 006E2E59
SetLastError.KERNEL32(00000000,006B1129), ref: 006E2E66
SetLastError.KERNEL32(00000000,006B1129), ref: 006E2E6F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 1d70b2dd8f3d517de0a837957bfd1b65228d8348f294b7d943b3be453e13a82e
Instruction ID: 6586cfb739f944503e944c21e08251335e7289e3b74ac31e305a3df2a1a37530
Opcode Fuzzy Hash: 1d70b2dd8f3d517de0a837957bfd1b65228d8348f294b7d943b3be453e13a82e
Instruction Fuzzy Hash: B7017D362077A22BC61327372C9AD6B165FABC27B4B31802DF514A33D3EF388C010024

Function 0071000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?,?,0071035E), ref: 0071002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?), ref: 00710064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0070FF41,80070057,?,?), ref: 00710070

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 19905301b1774b15d9fe45af2b7e64b1174b39dc7291c8bbd8b608376ddef5cb
Instruction ID: daa4922700da081a2c376ebf18a612f75c7639955f42ec95a7fdcf0d33ac50ad
Opcode Fuzzy Hash: 19905301b1774b15d9fe45af2b7e64b1174b39dc7291c8bbd8b608376ddef5cb
Instruction Fuzzy Hash: F601F27A601204BFDB114F68DC08BEA7AEDEF48791F108025F801D6250E7B9CEC09BA0

Function 0071E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0071E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0071E9A5
Sleep.KERNEL32(00000000), ref: 0071E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0071E9B7
Sleep.KERNEL32 ref: 0071E9F3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 143bc5d39d05a8d653ac396f648e9996cfd8838744a9cf7ce91ef000f1cbc491
Instruction ID: 600fcd511ee6ebba209128a65fbb3f897ac39916db85df2221ee962b51548863
Opcode Fuzzy Hash: 143bc5d39d05a8d653ac396f648e9996cfd8838744a9cf7ce91ef000f1cbc491
Instruction Fuzzy Hash: AC019275C0262DDBCF409FE8DC59AEDBB78FF09700F004546E902B2181DB38A590CB66

Function 007110F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00711114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 0071112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00710B9B,?,?,?), ref: 00711136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0071114D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 88196fd20110dc9e2623c0e12b1a7fb40dac27268da075b454b110562a588779
Instruction ID: dc60c20af520075b7f70f84f522f9503e0876a8cc801e32fb8d2ef64b59cbb2f
Opcode Fuzzy Hash: 88196fd20110dc9e2623c0e12b1a7fb40dac27268da075b454b110562a588779
Instruction Fuzzy Hash: 9F018179101209BFDB524FA9DC49EAA3F7EEF86364B104415FA41C7360DB35DC409A60

Function 00710FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00710FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00710FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00710FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00710FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00711002

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1950add31eb545ddf5690648a7c85584812d1c3a0e7aefa1b6453000ce3580e7
Instruction ID: 6a1a292f268737eead7ea3168a0c3a6650539af3825653112b0eaccae3f2af4b
Opcode Fuzzy Hash: 1950add31eb545ddf5690648a7c85584812d1c3a0e7aefa1b6453000ce3580e7
Instruction Fuzzy Hash: B8F06279602305EBD7224FA8DC4DF963B6DEF8A761F508415FA45CB2A1CB78DC808A60

Function 00711014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0071102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00711036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00711045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0071104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00711062

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 28cadfae3c7869eea97422727b76aa6205407dac61a238afbf7e11fa263dde9b
Instruction ID: 0d60636101f707a201be14baef75bd60fc01652768132bd9bd3a1cf0b70c0e6a
Opcode Fuzzy Hash: 28cadfae3c7869eea97422727b76aa6205407dac61a238afbf7e11fa263dde9b
Instruction Fuzzy Hash: D5F06279702305EBD7225FA9EC49F963B6DEF8A761F504415FA45CB2A0CB78DC80CA60

Function 0072030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 00720324
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 00720331
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 0072033E
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 0072034B
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 00720358
CloseHandle.KERNEL32(?,?,?,?,0072017D,?,007232FC,?,00000001,006F2592,?), ref: 00720365

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fc4d67b944f13e37eba98d4776b4cb65bddb22baef91a4dd7b53d9e5f55feea4
Instruction ID: 3216d62146024c36cf71d8388c072f9c0af064f793a0dc07d1f88799ef290f27
Opcode Fuzzy Hash: fc4d67b944f13e37eba98d4776b4cb65bddb22baef91a4dd7b53d9e5f55feea4
Instruction Fuzzy Hash: C801A276801B259FC7309F66E880412FBF5BF503153158A3FD19652932C375A954CF90

Function 006ED73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006ED752

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006ED764
_free.LIBCMT ref: 006ED776
_free.LIBCMT ref: 006ED788
_free.LIBCMT ref: 006ED79A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0eab6378d06155ee056a95a99dc7e5b5a872c6f91f09ad4d46bfd6a4a0e8bc80
Instruction ID: 7d00012e23f468d33003e682f7ac95a09750732de11e7b11d001fd1e344cad33
Opcode Fuzzy Hash: 0eab6378d06155ee056a95a99dc7e5b5a872c6f91f09ad4d46bfd6a4a0e8bc80
Instruction Fuzzy Hash: 40F068325023896B8A51EB57F9C2C5A77DFBB08750B95580DF048DB602C738FC804A68

Function 00715C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00715C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00715C6F
MessageBeep.USER32(00000000), ref: 00715C87
KillTimer.USER32(?,0000040A), ref: 00715CA3
EndDialog.USER32(?,00000001), ref: 00715CBD

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 8b4d214386fddcc5db06e3bdb86ac6aaa74b3d37d11042c2c3e096ad61480dda
Instruction ID: c0f81cfe7222e5f446f93f1eac32034da0963b478625c07c7ce05d090b2ff016
Opcode Fuzzy Hash: 8b4d214386fddcc5db06e3bdb86ac6aaa74b3d37d11042c2c3e096ad61480dda
Instruction Fuzzy Hash: B301D134501B05EBEB265F14DD4EFE677B8BB01B01F00555AB683A10E0DBF8AAC48BA5

Function 006E22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006E22BE

Part of subcall function 006E29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000), ref: 006E29DE
Part of subcall function 006E29C8: GetLastError.KERNEL32(00000000,?,006ED7D1,00000000,00000000,00000000,00000000,?,006ED7F8,00000000,00000007,00000000,?,006EDBF5,00000000,00000000), ref: 006E29F0

_free.LIBCMT ref: 006E22D0
_free.LIBCMT ref: 006E22E3
_free.LIBCMT ref: 006E22F4
_free.LIBCMT ref: 006E2305

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 203f8f4f2bb9c9a1d6083e885d3abbcaa8be2c21165b1d3dd872dc7056410b46
Instruction ID: c608cc1574bd7c620a93a307f65317f93dda7abc36fbb17c253a1d5d567c8dce
Opcode Fuzzy Hash: 203f8f4f2bb9c9a1d6083e885d3abbcaa8be2c21165b1d3dd872dc7056410b46
Instruction Fuzzy Hash: E1F090714823518B8663AF56BC128483B6FB718BA0751D10EF014CA272C73C05429BED

Function 006C95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006C95D4
StrokeAndFillPath.GDI32(?,?,007071F7,00000000,?,?,?), ref: 006C95F0
SelectObject.GDI32(?,00000000), ref: 006C9603
DeleteObject.GDI32 ref: 006C9616
StrokePath.GDI32(?), ref: 006C9631

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 49db9fd8592cbf4488e24f430a9837f0ef8713fece59c4d7e5cd23d80b2cc753
Instruction ID: bfaa55aeda9cd8ada1cf096095e5dd6a8f19fa795cfc42ec2f3cb150b3642199
Opcode Fuzzy Hash: 49db9fd8592cbf4488e24f430a9837f0ef8713fece59c4d7e5cd23d80b2cc753
Instruction Fuzzy Hash: 3DF03C34046688EBDB265F65ED1CBB43B6AEB01322F64C219F425551F0D7389992DF28

Function 006E0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006E10F9
__freea.LIBCMT ref: 006E1117

Part of subcall function 006E1537: _free.LIBCMT ref: 006E154F

Strings

a/p, xrefs: 006E11DE
am/pm, xrefs: 006E117A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 5e3ee09c1e2c4ae9e087778401dc9b77175e025c60e08cc072a4d3611390395f
Instruction ID: 60490a9cd96694e92abd422cedaaca7deec334833708f314e922b5c118027a07
Opcode Fuzzy Hash: 5e3ee09c1e2c4ae9e087778401dc9b77175e025c60e08cc072a4d3611390395f
Instruction Fuzzy Hash: 07D1E271902386CADB248F6AC855BFEB7B2EF07300F24011AEA019F794D7759D81EB91

Function 007361D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 006D0242: EnterCriticalSection.KERNEL32(0078070C,00781884,?,?,006C198B,00782518,?,?,?,006B12F9,00000000), ref: 006D024D
Part of subcall function 006D0242: LeaveCriticalSection.KERNEL32(0078070C,?,006C198B,00782518,?,?,?,006B12F9,00000000), ref: 006D028A

Part of subcall function 006D00A3: __onexit.LIBCMT ref: 006D00A9

__Init_thread_footer.LIBCMT ref: 00736238

Part of subcall function 006D01F8: EnterCriticalSection.KERNEL32(0078070C,?,?,006C8747,00782514), ref: 006D0202
Part of subcall function 006D01F8: LeaveCriticalSection.KERNEL32(0078070C,?,006C8747,00782514), ref: 006D0235

Part of subcall function 0072359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007235E4
Part of subcall function 0072359C: LoadStringW.USER32(00782390,?,00000FFF,?), ref: 0072360A

Strings

x#x, xrefs: 00736353
x#x, xrefs: 0073633A
x#x, xrefs: 0073636F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#x$x#x$x#x
API String ID: 1072379062-3214113500
Opcode ID: 0c8a45da14215635243f1422f71fc2e468c009afb07e74f4d8f0fa98f51d5f08
Instruction ID: 4289fc5f6dfd03c1be4ca7999852ecf5d266e81119b21cc3953d7a295eec518c
Opcode Fuzzy Hash: 0c8a45da14215635243f1422f71fc2e468c009afb07e74f4d8f0fa98f51d5f08
Instruction Fuzzy Hash: AAC15D71A00109AFDB14DF98C891EBEB7BAFF48310F148069F9459B252DB78EA55CB90

Function 006E5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOk, xrefs: 006E5BA8, 006E5C6C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: JOk
API String ID: 0-801978910
Opcode ID: cb91a8bce686dd63c7334e4a4a4cdc721395bbc0ce37f45c34036ec8c654c65d
Instruction ID: a0c6cb8fd43ac988df283908f407fc2f13401c827442588e82386f5b8f79c232
Opcode Fuzzy Hash: cb91a8bce686dd63c7334e4a4a4cdc721395bbc0ce37f45c34036ec8c654c65d
Instruction Fuzzy Hash: 7351D171D027899BCB109FA6C855FEE7BBAAF05718F24005EF406A7292D6709A02CB65

Function 006E8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 006E8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 006E8B7A
__dosmaperr.LIBCMT ref: 006E8B81

Strings

.m, xrefs: 006E8A63

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .m
API String ID: 2434981716-2594521899
Opcode ID: 304c928107f00c7b9fbe01e1bcd9659d709a4a78fb49ff1ec19c949920acc78d
Instruction ID: d47a164335c27259c3e4dbefd035090107fa649332801ae30a13695d0c15c4cc
Opcode Fuzzy Hash: 304c928107f00c7b9fbe01e1bcd9659d709a4a78fb49ff1ec19c949920acc78d
Instruction Fuzzy Hash: A24160705052C5AFD7259F59CC81ABD7F97DF85304B2881ADF44D8B252DE358D038794

Function 00712716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0071B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007121D0,?,?,00000034,00000800,?,00000034), ref: 0071B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00712760

Part of subcall function 0071B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007121FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0071B3F8

Part of subcall function 0071B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0071B355
Part of subcall function 0071B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00712194,00000034,?,?,00001004,00000000,00000000), ref: 0071B365
Part of subcall function 0071B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00712194,00000034,?,?,00001004,00000000,00000000), ref: 0071B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007127CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0071281A

Strings

@, xrefs: 00712832

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c7401fae535d300a0bac7e68152b8cd3431aa92053122b1dd795a4f3b59545da
Instruction ID: 534e85acddbecfd2667a27e912dfde69311fe05919a7277dda5b4423c6c45759
Opcode Fuzzy Hash: c7401fae535d300a0bac7e68152b8cd3431aa92053122b1dd795a4f3b59545da
Instruction Fuzzy Hash: 16413076900218BFDB10DFA8CD85ADEBBB8EF05700F108095FA55B7181DB746E95CB61

Function 006E172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 006E1769
_free.LIBCMT ref: 006E1834
_free.LIBCMT ref: 006E183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 006E1760, 006E1767, 006E1796, 006E17CE

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: bfca84f33aefd765d4577b034cd0aaefd5dfe8eecdc4a24d086cc8243e2386c7
Instruction ID: f10e67ab406912ba4da8eb8563b67721c6eb98d0cbab8b90f9e7cd72c102c66e
Opcode Fuzzy Hash: bfca84f33aefd765d4577b034cd0aaefd5dfe8eecdc4a24d086cc8243e2386c7
Instruction Fuzzy Hash: 9731C271A41398ABCB21DB9A9C85DDFBBFEEB86710B60416AF4009B311D6708E41DB94

Function 0071C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0071C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0071C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00781990,012D4B80), ref: 0071C395

Strings

0, xrefs: 0071C2DF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: b3e1b81ea89f0be44579039acf3710fc825d7dc558ab33a1ecced60f75fa8d06
Instruction ID: aa9b7e7bc657f84cb830930eacd07b2fc2022f0de589bd830935373821cf8874
Opcode Fuzzy Hash: b3e1b81ea89f0be44579039acf3710fc825d7dc558ab33a1ecced60f75fa8d06
Instruction Fuzzy Hash: 4241E231244301DFD721DF68D885B9ABBE4AF85320F108A1EF9A5972D1C738E984CB67

Function 00744416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0074CC08,00000000,?,?,?,?), ref: 007444AA
GetWindowLongW.USER32 ref: 007444C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007444D7

Strings

SysTreeView32, xrefs: 0074447C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8b99419717ab23b34a207bf56ed282339fd7e64d3120e610145b56d45da6e6c2
Instruction ID: 8c4c6e44e5fbbc696c6d1d633ef1e6db894e5e2d13797af2b542ed1ae281e53e
Opcode Fuzzy Hash: 8b99419717ab23b34a207bf56ed282339fd7e64d3120e610145b56d45da6e6c2
Instruction Fuzzy Hash: 0C31BE72200245AFDF618E78DC45FEA77A9EB09334F208319F979921D0D778EC60AB50

Function 00716E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00716EED
VariantCopyInd.OLEAUT32(?,?), ref: 00716F08
VariantClear.OLEAUT32(?), ref: 00716F12

Strings

*jq, xrefs: 00716E8B, 00716E90, 00716EF8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jq
API String ID: 2173805711-1921767587
Opcode ID: 8d8c5211bf22b9e38feef07aa165fa31f634922f7df9aad3574e7342ab4f149d
Instruction ID: b340db38ce179194b3a28e26ed2143aa41be3b549c7a64f1e136e01839a0a0af
Opcode Fuzzy Hash: 8d8c5211bf22b9e38feef07aa165fa31f634922f7df9aad3574e7342ab4f149d
Instruction Fuzzy Hash: 9031A172604245DBCB05AFA8E8529FD37BEEF85700B100499F9025B2F1C7789992DB94

Function 0073304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0073335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00733077,?,?), ref: 00733378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0073307A
_wcslen.LIBCMT ref: 0073309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00733106

Strings

255.255.255.255, xrefs: 00733095, 0073309A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 17a3136dcf953db5d0a98e890d711607c477ac0d4b7a3e8fe61a06e02626f3b4
Instruction ID: f7e323d8443e2af24623a64867d1a7c8109c07abac30362da3bd50c22ccc4355
Opcode Fuzzy Hash: 17a3136dcf953db5d0a98e890d711607c477ac0d4b7a3e8fe61a06e02626f3b4
Instruction Fuzzy Hash: 3E31C139604205DFEB24CF28C585EAA77E1EF14318F248059E9158F3A3DB3AEE81C760

Function 00743EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00743F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00743F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00743F78

Strings

SysMonthCal32, xrefs: 00743F0B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fea11accfe1acec790519ae0fb311e205f6632aeac7df5e946f7c50efc9a0ed1
Instruction ID: 1753b34d5a273b28fbb0ebdcf1b2eb23681c52a03f85428d67a05972c937d9ff
Opcode Fuzzy Hash: fea11accfe1acec790519ae0fb311e205f6632aeac7df5e946f7c50efc9a0ed1
Instruction Fuzzy Hash: 0A21BF32600219BBDF158F50CC46FEA3B79EF49724F114215FE196B1D0D7B9A954CB90

Function 00744653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00744705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00744713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0074471A

Strings

msctls_updown32, xrefs: 00744684

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 10ab6b57e4dd9fc64f890a984dfc1e0e050f7c8c34955f30c2e79bf2f0c17f06
Instruction ID: d7ae60587c7a2201a83ff6084ba10886b9ca865f3084b7d6fdc9bd3595b2cfcc
Opcode Fuzzy Hash: 10ab6b57e4dd9fc64f890a984dfc1e0e050f7c8c34955f30c2e79bf2f0c17f06
Instruction Fuzzy Hash: EC218CB5600209AFDB11DF64DC81DAB37ADEB4A3A4B114059FA009B351CB38EC12DB64

Function 007195AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0071961D

Strings

#requireadmin, xrefs: 007195D9
#notrayicon, xrefs: 007195B7
#OnAutoItStartRegister, xrefs: 007195F3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f5e1a7bed62c29afaddfc872840dc1fafec9e65ce58474b11a93f53096e00166
Instruction ID: b702578dba601e1ba0d344d3e8bddf4be6fb1850f91e4f3ac137082d96dfdb98
Opcode Fuzzy Hash: f5e1a7bed62c29afaddfc872840dc1fafec9e65ce58474b11a93f53096e00166
Instruction Fuzzy Hash: 4721297250411066D331AB2D9822FF773EA9F91300F10402AFA49971C1EB59ADD2C2A9

Function 007437B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00743840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00743850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00743876

Strings

Listbox, xrefs: 0074380F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 94b3641b0238720c41aadf58e2e40f02ae452c95619e81a307e9da12a1494474
Instruction ID: 8e91ba7258e291882d8d72a5ecf32b47f03c66e0c64fd14290aee346416d779c
Opcode Fuzzy Hash: 94b3641b0238720c41aadf58e2e40f02ae452c95619e81a307e9da12a1494474
Instruction Fuzzy Hash: 0C21D172600218BBEF228F54CC85FBB3B6EEF89760F118125F9489B190C779DC5287A0

Function 007249F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00724A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00724A5C
SetErrorMode.KERNEL32(00000000,?,?,0074CC08), ref: 00724AD0

Strings

%lu, xrefs: 00724A6F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 2aee49619c00e33f27df7126ed989fa1897fb5413e9d4e541afbfc56d074eae3
Instruction ID: 696ccb0f929f39dc36f162792bd61c3d66d6d210becd685f919173ba0673d5f3
Opcode Fuzzy Hash: 2aee49619c00e33f27df7126ed989fa1897fb5413e9d4e541afbfc56d074eae3
Instruction Fuzzy Hash: 9731C1B5A00108AFDB50DF64C885EAA7BF9EF08308F1480A9F908DB352D775ED41CB61

Function 007441EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0074424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00744264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00744271

Strings

msctls_trackbar32, xrefs: 00744226

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bf7e2607f26d633b2ba614e40eee909ab259b5d9ff89febb91947dd8bf8c82c5
Instruction ID: e26b6d41882e42cfe5f318a48efc739807fff24cef0556f24760f04ea8f0b37b
Opcode Fuzzy Hash: bf7e2607f26d633b2ba614e40eee909ab259b5d9ff89febb91947dd8bf8c82c5
Instruction Fuzzy Hash: 3C110671240208BEEF205F29CC06FAB3BACFF95B64F114524FA55E2090D7B5DC519B14

Function 00712F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

Part of subcall function 00712DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00712DC5
Part of subcall function 00712DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00712DD6
Part of subcall function 00712DA7: GetCurrentThreadId.KERNEL32 ref: 00712DDD
Part of subcall function 00712DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00712DE4

GetFocus.USER32 ref: 00712F78

Part of subcall function 00712DEE: GetParent.USER32(00000000), ref: 00712DF9

GetClassNameW.USER32(?,?,00000100), ref: 00712FC3
EnumChildWindows.USER32(?,0071303B), ref: 00712FEB

Strings

%s%d, xrefs: 00712FFF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 3a9e89e6483764b3abc922ce607a5f1304b62fb0e24247ba59a55de37d2e3b54
Instruction ID: e8d0581fdff05cd03fb254b014fd7512ce1d38adc9197a07e314dd4907359aa6
Opcode Fuzzy Hash: 3a9e89e6483764b3abc922ce607a5f1304b62fb0e24247ba59a55de37d2e3b54
Instruction Fuzzy Hash: CA11D5B5300205ABDF857F64DC99EED37AAAF84304F048079B9099B292DF3859858B70

Function 00745882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007458C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007458EE
DrawMenuBar.USER32(?), ref: 007458FD

Strings

0, xrefs: 0074588F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: bd80b2d7f1df630f761345b204e7e479dfa1a338784313f4bc657d4497145cb4
Instruction ID: 2547adafbf1726b6c6eba43c3f40ed4e1f306b8be6a5991af17500add2d9aa8d
Opcode Fuzzy Hash: bd80b2d7f1df630f761345b204e7e479dfa1a338784313f4bc657d4497145cb4
Instruction Fuzzy Hash: 9F01C031500208EFDB619F11DC44FAEBBB5FF46760F10C09AE849DA152DB349A90EF20

Function 0071007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b752b50b017e3a0e2a184fa1e00ed819e668726723ac9cfad971a4d988cc09be
Instruction ID: 81d00949685df9441dc0e54262558d9011adfa164f8d1a14b06f7d7710e922a8
Opcode Fuzzy Hash: b752b50b017e3a0e2a184fa1e00ed819e668726723ac9cfad971a4d988cc09be
Instruction Fuzzy Hash: A4C18C75A0020AEFCB14CFA8C888AAEB7B5FF48714F108598E415EB291D774EDC1DB90

Function 0073342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00733459
CoUninitialize.OLE32 ref: 00733463
VariantInit.OLEAUT32(?), ref: 0073346E
VariantClear.OLEAUT32(?), ref: 0073371B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 29648c348288883655995b5b132b1ea814d2a6c96bdc57c6582a3738dee2eeee
Instruction ID: 129b5de739fd80ff508cdbd9b8acb868da78a2c329b9d1eb8a286c795d5aa1af
Opcode Fuzzy Hash: 29648c348288883655995b5b132b1ea814d2a6c96bdc57c6582a3738dee2eeee
Instruction Fuzzy Hash: FBA15BB5604210DFD760DF28C486A6AB7E5FF88314F04885DF98A9B362DB34EE41CB95

Function 00710436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0074FC08,?), ref: 007105F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0074FC08,?), ref: 00710608
CLSIDFromProgID.OLE32(?,?,00000000,0074CC40,000000FF,?,00000000,00000800,00000000,?,0074FC08,?), ref: 0071062D
_memcmp.LIBVCRUNTIME ref: 0071064E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 3eb3246d3936722bed6fa1dfc5bd3cfc82162530f82de7b27b24f5b77b1f3f17
Instruction ID: abdfbac37840139190eec42ca55ce93543da78805adc6c73325e6a200e9dfe76
Opcode Fuzzy Hash: 3eb3246d3936722bed6fa1dfc5bd3cfc82162530f82de7b27b24f5b77b1f3f17
Instruction Fuzzy Hash: 97810F75900109EFCB04DF98C984DEEB7BAFF89315F104558F506AB250DB75AE86CBA0

Function 0073A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0073A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0073A6BA

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0073A79C
CloseHandle.KERNEL32(00000000), ref: 0073A7AB

Part of subcall function 006CCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,006F3303,?), ref: 006CCE8A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 2aca0e537ee322f69a055d3305e96f0e3d48d0b8cf9095c3c08e0b05b9ee31a1
Instruction ID: 33d73578f7359392650b351d5ddf2f4066cff284323d7e7e8189078c055d26cd
Opcode Fuzzy Hash: 2aca0e537ee322f69a055d3305e96f0e3d48d0b8cf9095c3c08e0b05b9ee31a1
Instruction Fuzzy Hash: F2517FB1508300AFD350EF24C886EABBBE9FF89754F00891DF58597252EB34D944CB96

Function 006F1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006F14C0

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e8e6d340d334a79b75da288c0e12a3c2810189472953ee057dd43daefc10cf97
Instruction ID: f4bc31c672a6ab6846cb1e612b373928e454c88f3ee69140acdb871c24d00b47
Opcode Fuzzy Hash: e8e6d340d334a79b75da288c0e12a3c2810189472953ee057dd43daefc10cf97
Instruction Fuzzy Hash: 14412B31900208EBDB616FF99C456FE3AE7EF833B0F14422AF619DA392E634494153B5

Function 00746278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 007462E2
ScreenToClient.USER32(?,?), ref: 00746315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00746382

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bf038644edd80aa3db6e7338185a218fcea31a6ef756565b1d7cd3b970bd6010
Instruction ID: 6149236404ab7314e087c9285a1514277164f6fd6d5fa0d3cad1518a5750d795
Opcode Fuzzy Hash: bf038644edd80aa3db6e7338185a218fcea31a6ef756565b1d7cd3b970bd6010
Instruction Fuzzy Hash: 6A516074A00249EFCF14DF68D8809AE7BB6FF46364F208259F9259B290D734ED81CB51

Function 00731AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00731AFD
WSAGetLastError.WSOCK32 ref: 00731B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00731B8A
WSAGetLastError.WSOCK32 ref: 00731B94

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 65c576d2b128ae67fcd7775266cb86aeab97adff9a69b1091d697be3639285d6
Instruction ID: 2d091fcfcc2d5a4b332d65fa40eb10077d93c508747b6baff0d6ea664fec6e50
Opcode Fuzzy Hash: 65c576d2b128ae67fcd7775266cb86aeab97adff9a69b1091d697be3639285d6
Instruction Fuzzy Hash: 6541B0B4600200AFE760AF24C886F6677E6AB44718F54C48CF91A9F6D3D776DD818B94

Function 006EB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546b472cc0b81a86fda5eca5905d79a25835cf40d675f2cdb5721ba978570bbc
Instruction ID: cf8b047d6823d46f8d3c661af7685f25d4e4d434bc6b8b69240f3333d3acf0be
Opcode Fuzzy Hash: 546b472cc0b81a86fda5eca5905d79a25835cf40d675f2cdb5721ba978570bbc
Instruction Fuzzy Hash: D941D3B1A01384EFD7249F79CC41BABBBEAEB88710F10552EF542DB2C2D771A9018784

Function 007256D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00725783
GetLastError.KERNEL32(?,00000000), ref: 007257A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007257CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007257FA

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 1ba6f1b87425402b3dce9d5d9740ddceb37f284dc6289fbe674d75200d41ddcb
Instruction ID: 8e02f0be2b3aa021c9f74e9c1517fe23fbf6e358a9340803ee850b314bef38c7
Opcode Fuzzy Hash: 1ba6f1b87425402b3dce9d5d9740ddceb37f284dc6289fbe674d75200d41ddcb
Instruction Fuzzy Hash: C941417A600620DFCB21DF15C445A5DBBF2EF89320B18C488E84A5B362CB74FD40CB95

Function 006ED8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,006D6D71,00000000,00000000,006D82D9,?,006D82D9,?,00000001,006D6D71,?,00000001,006D82D9,006D82D9), ref: 006ED910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006ED999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 006ED9AB
__freea.LIBCMT ref: 006ED9B4

Part of subcall function 006E3820: RtlAllocateHeap.NTDLL(00000000,?,00781444,?,006CFDF5,?,?,006BA976,00000010,00781440,006B13FC,?,006B13C6,?,006B1129), ref: 006E3852

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: ac012b9371c86bbcb9a5bca7d1aa1e5719d61118d6c28ae868567c9975ad3911
Instruction ID: b873375fe744805186e9619e4d69bfdb8ec40c57dd9b684463763812c7ae87a2
Opcode Fuzzy Hash: ac012b9371c86bbcb9a5bca7d1aa1e5719d61118d6c28ae868567c9975ad3911
Instruction Fuzzy Hash: 1931DC72A0124AABDF258F66DC45EEE7BA6EB41310F054169FC04DB292EB35CD50CBA4

Function 007452C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00745352
GetWindowLongW.USER32(?,000000F0), ref: 00745375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00745382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007453A8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f40cf645c33d41ba1581fbf7be196176bfc9951d2abd7e9b5114cf0796c511d1
Instruction ID: 3d724506e8c251019aace64e09d1736763856f21ceec0bce6a7633ff4ab9d6fd
Opcode Fuzzy Hash: f40cf645c33d41ba1581fbf7be196176bfc9951d2abd7e9b5114cf0796c511d1
Instruction Fuzzy Hash: 2831D634A55A0CEFEF319F14CC05FE87765AB05398F588142FA10961E2C7BC9D40DB46

Function 0071AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0071ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0071AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0071AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0071ACC6

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 6943d20ecf0fb9c2ce392110040d60a395d06287df58b087a0bfe0c1d2ae0d66
Instruction ID: eebafb818d2774281ab701e09f3938dd157f085f329c649e677268fe508a91f0
Opcode Fuzzy Hash: 6943d20ecf0fb9c2ce392110040d60a395d06287df58b087a0bfe0c1d2ae0d66
Instruction Fuzzy Hash: 9D31F630A01618BFEB35CF6D88097FA7BA6AB85310F04821AE485921D1D37D89C587F2

Function 00747674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0074769A
GetWindowRect.USER32(?,?), ref: 00747710
PtInRect.USER32(?,?,00748B89), ref: 00747720
MessageBeep.USER32(00000000), ref: 0074778C

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ca74b375d1e730e17b435c297cdd9a53460a21ab328632b0ca90b8447d3aad41
Instruction ID: 137e0a6b50cc383767835fecb26ff5b3c013521b24652f090812da5bd9c65fcd
Opcode Fuzzy Hash: ca74b375d1e730e17b435c297cdd9a53460a21ab328632b0ca90b8447d3aad41
Instruction Fuzzy Hash: 7B41C338605254DFCB16CF58C894EA9B7F9FF49314F9680A9E514DB261C738E942CF90

Function 007416DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007416EB

Part of subcall function 00713A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00713A57
Part of subcall function 00713A3D: GetCurrentThreadId.KERNEL32 ref: 00713A5E
Part of subcall function 00713A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007125B3), ref: 00713A65

GetCaretPos.USER32(?), ref: 007416FF
ClientToScreen.USER32(00000000,?), ref: 0074174C
GetForegroundWindow.USER32 ref: 00741752

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c3637cd8d654135c96d538f952cb8365c0e06e3bf6ce255d001a52dcde21b16b
Instruction ID: bc9d1959dd1b2a7988beea6c13a69ea385e111479bdba65a608aa548d75b31e5
Opcode Fuzzy Hash: c3637cd8d654135c96d538f952cb8365c0e06e3bf6ce255d001a52dcde21b16b
Instruction Fuzzy Hash: F93130B5D00149AFC741EFA9C885CEEBBFDEF88304B5480AAE415E7211D7359E85CBA4

Function 00748FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

GetCursorPos.USER32(?), ref: 00749001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00707711,?,?,?,?,?), ref: 00749016
GetCursorPos.USER32(?), ref: 0074905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00707711,?,?,?), ref: 00749094

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 019e61ac31ef7140a2f48840edb8988cd17e27f6b45cc7dc04d039dfc03d40b6
Instruction ID: ccef8f06b41f2d749668158fb65b509b62200eb45ddfdd76ca8004d1baa90304
Opcode Fuzzy Hash: 019e61ac31ef7140a2f48840edb8988cd17e27f6b45cc7dc04d039dfc03d40b6
Instruction Fuzzy Hash: 9B219F35601018EFDB26CF94C859EFBBBB9EB4A350F148069FA0547271C739AD51DB60

Function 0071D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0074CB68), ref: 0071D2FB
GetLastError.KERNEL32 ref: 0071D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0071D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0074CB68), ref: 0071D376

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 5e20cfd47c9976e828b1b7b6ec26bed078011a01aa712280225dab9898886cd7
Instruction ID: 89062262b3ad29e06d83a796968747cbe02fb0ab06ac4f0be18c8e12d209292c
Opcode Fuzzy Hash: 5e20cfd47c9976e828b1b7b6ec26bed078011a01aa712280225dab9898886cd7
Instruction Fuzzy Hash: 5F2180B4505201DF8764DF28C8814AA77E4EE56324F104A1DF4A9C32E1DB34DD86CF97

Function 00711571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00711014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0071102A
Part of subcall function 00711014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00711036
Part of subcall function 00711014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00711045
Part of subcall function 00711014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0071104C
Part of subcall function 00711014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00711062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007115BE
_memcmp.LIBVCRUNTIME ref: 007115E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00711617
HeapFree.KERNEL32(00000000), ref: 0071161E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bbe472b05b811e4e265cbaf54685f00a63ea24b2ba623a13e7f655c5cbe32a81
Instruction ID: 4f7f97e203bdc07641ac53929e50ba941eeb10db0e0555185068b6c3cc74ec68
Opcode Fuzzy Hash: bbe472b05b811e4e265cbaf54685f00a63ea24b2ba623a13e7f655c5cbe32a81
Instruction Fuzzy Hash: 3721B371E01108EFDF00DFA8C945BEEB7B9EF85344F498459E541AB281EB39AE45CB50

Function 00742782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0074280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00742824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00742832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00742840

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 6198f342da4ae1aac16152ef8708afd7dc622b36e0672b6129e809373944d226
Instruction ID: 1f244d6595fe565200463da1b1a253b707a1871001b69b36a80307bffc9d0c62
Opcode Fuzzy Hash: 6198f342da4ae1aac16152ef8708afd7dc622b36e0672b6129e809373944d226
Instruction Fuzzy Hash: FF210635305110AFD7159B24C844FAA7799AF45324F148158F8268B2D3CB79FC92CB90

Function 007178F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00718D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0071790A,?,000000FF,?,00718754,00000000,?,0000001C,?,?), ref: 00718D8C
Part of subcall function 00718D7D: lstrcpyW.KERNEL32(00000000,?,?,0071790A,?,000000FF,?,00718754,00000000,?,0000001C,?,?,00000000), ref: 00718DB2
Part of subcall function 00718D7D: lstrcmpiW.KERNEL32(00000000,?,0071790A,?,000000FF,?,00718754,00000000,?,0000001C,?,?), ref: 00718DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00718754,00000000,?,0000001C,?,?,00000000), ref: 00717923
lstrcpyW.KERNEL32(00000000,?,?,00718754,00000000,?,0000001C,?,?,00000000), ref: 00717949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00718754,00000000,?,0000001C,?,?,00000000), ref: 00717984

Strings

cdecl, xrefs: 0071797B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 595d73a3967047e7d96f45c6606826e6855a65567320e73d0cc2400a77c730fc
Instruction ID: 203976b40e13309cf51cd29dc40ce24424e558d600cc429ea1ef1a8a3882281f
Opcode Fuzzy Hash: 595d73a3967047e7d96f45c6606826e6855a65567320e73d0cc2400a77c730fc
Instruction Fuzzy Hash: A511063A200301ABCB159F38D844EBA77B9FF89750B10802AF946C72A4EB359841C795

Function 00747CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00747D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00747D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00747D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0072B7AD,00000000), ref: 00747D6B

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 1e1287278b7f5d9496a9de637806f8c6aaa0a2a83fe687d24078a54420fae026
Instruction ID: d8db3d736af625779ecfc794c2ab162562ec9d666ff5775acbe25d6a8e08f415
Opcode Fuzzy Hash: 1e1287278b7f5d9496a9de637806f8c6aaa0a2a83fe687d24078a54420fae026
Instruction Fuzzy Hash: FD11D231615614AFCB149F28CC04A7A3BA9AF46360B218324F839CB2F0E7389D11CB54

Function 00745660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007456BB
_wcslen.LIBCMT ref: 007456CD
_wcslen.LIBCMT ref: 007456D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00745816

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: e6607cf6ac0a7d48916fbb4004351ec20a472a3da09a5a1e1c637e1889158c8a
Instruction ID: d485d98f0e08ac46c972f89dbb29b74feb4613a45fb0805ddbe7fd7c80ef3095
Opcode Fuzzy Hash: e6607cf6ac0a7d48916fbb4004351ec20a472a3da09a5a1e1c637e1889158c8a
Instruction Fuzzy Hash: 96110675A00604A7DB209F75CC85EEE376CEF12760B50806AF905DA082EB78D980CB65

Function 006E1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43130814d0719f008764897e67b5860bfaf62e0b47fd100f186425e89e38dba7
Instruction ID: 24d921619d7b78807425ae47d7d32d3389c1b8601d8de59f38f93a6ed0d94bc1
Opcode Fuzzy Hash: 43130814d0719f008764897e67b5860bfaf62e0b47fd100f186425e89e38dba7
Instruction Fuzzy Hash: 8A01F2B220B78A3EF651167A6CC1FA7261FDF827B8B34032AF520592D2DB748C006174

Function 00711A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00711A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00711A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00711A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00711A8A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3f6adfe94d57c15eaebe163b2377241aaac9bc9e4d0d11272fc9909a0dc2cbe8
Instruction ID: e431778e5264896f6fe0655e331e8db2cddcc12e74f53c35bcd86dde834ba082
Opcode Fuzzy Hash: 3f6adfe94d57c15eaebe163b2377241aaac9bc9e4d0d11272fc9909a0dc2cbe8
Instruction Fuzzy Hash: 0711FA3A901219FFEB119BA9CD85FEDBB78EF04750F604091EA04B7290D6716E50DB94

Function 0071E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0071E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0071E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0071E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0071E24D

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: daf4cad46e0c990c743de76a40371eeee5629c806c0c997f27eb281698e1fc74
Instruction ID: f07a3c3ceb2a8f62c6af499a998ba28ca2eb24cd50e4d425e8c32e1c29507fdc
Opcode Fuzzy Hash: daf4cad46e0c990c743de76a40371eeee5629c806c0c997f27eb281698e1fc74
Instruction Fuzzy Hash: 86112B76E04258BBC7019FAC9C05ADE7FACAB46310F108216FD14D32D1D3B8CD0087A4

Function 006DD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,006DCFF9,00000000,00000004,00000000), ref: 006DD218
GetLastError.KERNEL32 ref: 006DD224
__dosmaperr.LIBCMT ref: 006DD22B
ResumeThread.KERNEL32(00000000), ref: 006DD249

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 4c140bf5899cdf3d2c581232ae72df78ed9f600ea93ad37163187d5fc20fc403
Instruction ID: 458c7c6bb6cf5dad3f7421826242a1c8a1cf602598773004ba95cdda727292bc
Opcode Fuzzy Hash: 4c140bf5899cdf3d2c581232ae72df78ed9f600ea93ad37163187d5fc20fc403
Instruction Fuzzy Hash: DC01D636C052087BCB516FA5DC05BEA7A6FDF82330F10421FF925923D0CB718A01C6A5

Function 00749EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 006C9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 006C9BB2

GetClientRect.USER32(?,?), ref: 00749F31
GetCursorPos.USER32(?), ref: 00749F3B
ScreenToClient.USER32(?,?), ref: 00749F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00749F7A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: c681c1ffb8ec80a3691706ed05bd123775342b9a3d65fcbeef8ec5aa4a08b0a2
Instruction ID: 438da901a87a7e5efd37ff72b968c01c358ca4ece808da77a083605675eb6a3b
Opcode Fuzzy Hash: c681c1ffb8ec80a3691706ed05bd123775342b9a3d65fcbeef8ec5aa4a08b0a2
Instruction Fuzzy Hash: 1E11883690111AEBDB01DF68C84A9EFB7B8FB06311F104455FA01E3040C338BE86CBA5

Function 006B600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006B604C
GetStockObject.GDI32(00000011), ref: 006B6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 006B606A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b1cf7d04436fd1b407e15104c005d543a79140cec244076eb181c2d0a7e29ab8
Instruction ID: d269780dd1356449710b957280ad83ee81491c28810572797781c1f793bee334
Opcode Fuzzy Hash: b1cf7d04436fd1b407e15104c005d543a79140cec244076eb181c2d0a7e29ab8
Instruction Fuzzy Hash: 0811A1B2102508BFEF125F95CD44EFA7B6AEF09364F004106FA0452120D73A9CA0DB90

Function 006D3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 006D3B56

Part of subcall function 006D3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006D3AD2
Part of subcall function 006D3AA3: ___AdjustPointer.LIBCMT ref: 006D3AED

_UnwindNestedFrames.LIBCMT ref: 006D3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006D3B7C
CallCatchBlock.LIBVCRUNTIME ref: 006D3BA4

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 217eff2915417b57b57933b635f3cf55f6045c66385598f6622b4ee9f6de400c
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 1F012932900148BBDF125F95CC46EEB3B6AEF58794F04401AFE4856321C732E961EBA5

Function 006E3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006B13C6,00000000,00000000,?,006E301A,006B13C6,00000000,00000000,00000000,?,006E328B,00000006,FlsSetValue), ref: 006E30A5
GetLastError.KERNEL32(?,006E301A,006B13C6,00000000,00000000,00000000,?,006E328B,00000006,FlsSetValue,00752290,FlsSetValue,00000000,00000364,?,006E2E46), ref: 006E30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,006E301A,006B13C6,00000000,00000000,00000000,?,006E328B,00000006,FlsSetValue,00752290,FlsSetValue,00000000), ref: 006E30BF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 23ff62d0855aeb1add960c218bc643c026c902449acdfebdc05eebe3d17f5e3f
Instruction ID: 38949c27ebf04d83a129cb4ab8ea0d6cb1d5b8d8d768103e2cc2d1448f9df9b9
Opcode Fuzzy Hash: 23ff62d0855aeb1add960c218bc643c026c902449acdfebdc05eebe3d17f5e3f
Instruction Fuzzy Hash: B9012036303372ABCB318B7B9C4C9A77799AF46771B204621F905D7340C725D901C6E4

Function 00717464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0071747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00717497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007174AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007174CA

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1f06d14e3caf7ad8842e944a7fc37a058d1cc571bd96124ca8c49903c65a55f6
Instruction ID: ca9e51f99fcc8b08cf68659c8cc32397a6a9a28a7fd88f5213a80cfe99583821
Opcode Fuzzy Hash: 1f06d14e3caf7ad8842e944a7fc37a058d1cc571bd96124ca8c49903c65a55f6
Instruction Fuzzy Hash: CE11A1B52063549BE7208F5CDD08BD27FFCEB00B10F10856AAA56D6191D778E984DB50

Function 0071B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0071ACD3,?,00008000), ref: 0071B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0071ACD3,?,00008000), ref: 0071B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0071ACD3,?,00008000), ref: 0071B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0071ACD3,?,00008000), ref: 0071B126

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 890e59eee227314297ab8b35748ede0f29020ddd6b4e057449e1bfd2ddb37a3e
Instruction ID: 9a1afa3c92f31aefc618a33f4d6ec7ecf3781dbbd85bc53a44793bbd75275764
Opcode Fuzzy Hash: 890e59eee227314297ab8b35748ede0f29020ddd6b4e057449e1bfd2ddb37a3e
Instruction Fuzzy Hash: 99116171C0151CE7CF009FE8D9596FEBB78FF0A711F11808AD951B2181CB389A909B55

Function 00747E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00747E33
ScreenToClient.USER32(?,?), ref: 00747E4B
ScreenToClient.USER32(?,?), ref: 00747E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00747E8A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2c7049a44d172a931365d39e808c211e0ec4d54b21568509894b45384fbb76f7
Instruction ID: d11ede347ae8e720a9295574722d6fff409826e3ceea58d8c513f7c74b06677b
Opcode Fuzzy Hash: 2c7049a44d172a931365d39e808c211e0ec4d54b21568509894b45384fbb76f7
Instruction Fuzzy Hash: 251153B9D0020AAFDB41CF98C884AEEBBF9FF09310F509166E915E3210D735AA54CF95

Function 00712DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00712DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00712DD6
GetCurrentThreadId.KERNEL32 ref: 00712DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00712DE4

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 811e1963b461a6ba2e0b25614e8a044efbaf5e02ddf2a79b8cb38106af4f1817
Instruction ID: 4458b17f4b3ba2ed9b65f4a6395868178d69e9573b60b904ce87e7c4115838eb
Opcode Fuzzy Hash: 811e1963b461a6ba2e0b25614e8a044efbaf5e02ddf2a79b8cb38106af4f1817
Instruction Fuzzy Hash: A1E092752022287BD7211BB6EC0EFEB3E6CEF43BA1F018016F105D10C19BA8C881C6B2

Function 00748863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006C9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 006C9693
Part of subcall function 006C9639: SelectObject.GDI32(?,00000000), ref: 006C96A2
Part of subcall function 006C9639: BeginPath.GDI32(?), ref: 006C96B9
Part of subcall function 006C9639: SelectObject.GDI32(?,00000000), ref: 006C96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00748887
LineTo.GDI32(?,?,?), ref: 00748894
EndPath.GDI32(?), ref: 007488A4
StrokePath.GDI32(?), ref: 007488B2

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 646f3ce1740c53a29f6ae19eed8469db91d680e9c8fe9417a1cce3fe241c33ca
Instruction ID: e99c9a0d1903c2a30d60196c698bdb1aff11a9d21047b2f5096547ce3bb9d0f2
Opcode Fuzzy Hash: 646f3ce1740c53a29f6ae19eed8469db91d680e9c8fe9417a1cce3fe241c33ca
Instruction Fuzzy Hash: 13F03A3A042258BAEB535F94AC09FDE3A59AF06310F54C101FA11651E2C7795511CBAD

Function 006C98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006C98CC
SetTextColor.GDI32(?,?), ref: 006C98D6
SetBkMode.GDI32(?,00000001), ref: 006C98E9
GetStockObject.GDI32(00000005), ref: 006C98F1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 21318a7cda3f706ac3b4a32e02bca9cc3f6231497f528a50c46019a943bb9ca4
Instruction ID: a5518ed5b51a89fffab703f3af86e8b63842024b0395e599f84f69b5c5bd246a
Opcode Fuzzy Hash: 21318a7cda3f706ac3b4a32e02bca9cc3f6231497f528a50c46019a943bb9ca4
Instruction Fuzzy Hash: E8E0ED35640284EAEB220B34AC08BE83F60EB02332F04C31AF6FA580E1C7794650CB20

Function 0071162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00711634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007111D9), ref: 0071163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007111D9), ref: 00711648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007111D9), ref: 0071164F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 32188f3f2068c99f557e17dde1506ceb6bde373229bd203d855ff150835751d9
Instruction ID: 7fd2e17f672ec9235ec145b8810f029089450276101d17eed877bff17f2daf4f
Opcode Fuzzy Hash: 32188f3f2068c99f557e17dde1506ceb6bde373229bd203d855ff150835751d9
Instruction Fuzzy Hash: D8E04F356022119BD7A01FA49E0DB863B78AF46791F158809F345C90A0DB6C44808B58

Function 0070D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0070D858
GetDC.USER32(00000000), ref: 0070D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0070D882
ReleaseDC.USER32(?), ref: 0070D8A3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8552ed186f19d25d9fb6517fe80c91185c783995045db38c4afab1a3faccbd84
Instruction ID: faa35a145544b3cd0f569de133e4c01535bda8a804f287bd7d9cdbd14e28cd8f
Opcode Fuzzy Hash: 8552ed186f19d25d9fb6517fe80c91185c783995045db38c4afab1a3faccbd84
Instruction Fuzzy Hash: D9E01AB8801204DFCB929FA0D808A6DBBB6FB09310F11C05AF806E7260C73C8941AF45

Function 0070D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0070D86C
GetDC.USER32(00000000), ref: 0070D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0070D882
ReleaseDC.USER32(?), ref: 0070D8A3

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 6e8d7946be8133993404a151731447d0954c85f3ddff549de94efac8512a84a9
Instruction ID: 5fcfd1e2006b78ac14406d3e765243db0d65d0f86b15f9c3254f802dfd628400
Opcode Fuzzy Hash: 6e8d7946be8133993404a151731447d0954c85f3ddff549de94efac8512a84a9
Instruction Fuzzy Hash: 88E01AB8801200DFCB929FA0D80866DBBB6FB08310B11C04AF906E7260C73C99019F45

Function 00724D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 006B7620: _wcslen.LIBCMT ref: 006B7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00724ED4

Strings

*, xrefs: 00724E10
LPT, xrefs: 00724DFB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c29c082f09e9da33030491a8b8106b11807ee2d88f3e046ef355463227484915
Instruction ID: 87ac5c36127ee9db92d0fe3d90362a8274f71ba75620ab8f62fe2280f4b5bf89
Opcode Fuzzy Hash: c29c082f09e9da33030491a8b8106b11807ee2d88f3e046ef355463227484915
Instruction Fuzzy Hash: CF917175A002149FDB14DF58D584EA9BBF1BF84304F19809DE40A9F3A2D735EE85CB91

Function 006DE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006DE30D

Strings

pow, xrefs: 006DE2E5, 006DE302

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c3de87d80be4f79a38e86faee7335ff2b4c7d701768a7c2101a967a1e6f2f0fd
Instruction ID: a6f462991ef1baa527095ccfca9c0c294099769a9018a4436b45c536495b1202
Opcode Fuzzy Hash: c3de87d80be4f79a38e86faee7335ff2b4c7d701768a7c2101a967a1e6f2f0fd
Instruction Fuzzy Hash: 66518F61E0D34296CB157715DD013F93BABDF40741F30899AE0D54A3E9EB368C929A8A

Function 00737771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0070569E,00000000,?,0074CC08,?,00000000,00000000), ref: 007378DD

Part of subcall function 006B6B57: _wcslen.LIBCMT ref: 006B6B6A

CharUpperBuffW.USER32(0070569E,00000000,?,0074CC08,00000000,?,00000000,00000000), ref: 0073783B

Strings

<sw, xrefs: 007377C8

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sw
API String ID: 3544283678-407046988
Opcode ID: 0fa841b23e3e16801f99277a180c3994e582555f939da8cba99207a015dcda14
Instruction ID: f8e8995ea0f71b9bc8b2d5dcbbd5e6d4d2e993c6bd0421050fd3e0b845e0668d
Opcode Fuzzy Hash: 0fa841b23e3e16801f99277a180c3994e582555f939da8cba99207a015dcda14
Instruction Fuzzy Hash: A5615EB2914128EADF58EBE4CC91DFDB3B5BF14300F444129F542A7192EF386A85DBA4

Function 006CE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 006CE1B1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fd4ff5a0d3af0f9d3f5e35c6ab0280af87510b39c12aa31534b66ad1e05ecb26
Instruction ID: 3106c0aac32cfbfc0dc4272646a10b6a9906d8d292d0b76a2729b9776dd5583b
Opcode Fuzzy Hash: fd4ff5a0d3af0f9d3f5e35c6ab0280af87510b39c12aa31534b66ad1e05ecb26
Instruction Fuzzy Hash: CD513675600246DFDB29DF28C081BFA7BF6EF15310F248559E8919B2C0D7389E42CBA0

Function 006CF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 006CF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 006CF2BB

Strings

@, xrefs: 006CF2AF

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 6bd607f2af1b2dffddb5a450d1e6821317907104c96cc49aad0f38ff22f192ea
Instruction ID: 0ff0decb43e7dc4ab508df73f16f3a8b4d16c145c3df29244664cbda75609256
Opcode Fuzzy Hash: 6bd607f2af1b2dffddb5a450d1e6821317907104c96cc49aad0f38ff22f192ea
Instruction Fuzzy Hash: 1C5125B14087449BD360AF10D886BABBBF9FFC4310F81885DF199811A5EB709569CB6A

Function 00735745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007357E0
_wcslen.LIBCMT ref: 007357EC

Strings

CALLARGARRAY, xrefs: 007357E6, 007357EB

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: dac68f54bd3e7937cea7ccfa6afacbb3494ed6d750bc07a5fc776dad301ffdcc
Instruction ID: a0b2cd7153f685f66ab05f2ec37ef40dd338c7b3d11b250ffa254c8e3dfa6250
Opcode Fuzzy Hash: dac68f54bd3e7937cea7ccfa6afacbb3494ed6d750bc07a5fc776dad301ffdcc
Instruction Fuzzy Hash: C9418D71A00209DFDB14DFA9C8859FEBBB5EF59320F10806DE505A7292E7389D81CBA0

Function 0072D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0072D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0072D13A

Strings

|, xrefs: 0072D10B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: b5db48b026c068da9ca7484e5a936f618d68f64c363cf1c76522ffe9c3e042f2
Instruction ID: 2a398cf6cc11a9f87ffcb93634e4b251c39ab0cfdb7a0dc2ad37d6c8c5403332
Opcode Fuzzy Hash: b5db48b026c068da9ca7484e5a936f618d68f64c363cf1c76522ffe9c3e042f2
Instruction Fuzzy Hash: BE315071D00219AFCF55EFA4DC85AEE7FBAFF04304F100019F915A6162E735A956CB54

Function 0074356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00743621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0074365C

Strings

static, xrefs: 007435BC

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 72e43bf73f5f6d749cc82ba63ed20bfdefa0f724a95f1c96353159abfea43385
Instruction ID: af4ef99cd26250a427f487070544580240edf054a143ee653a9b65a8cf701de6
Opcode Fuzzy Hash: 72e43bf73f5f6d749cc82ba63ed20bfdefa0f724a95f1c96353159abfea43385
Instruction Fuzzy Hash: B0318B71100204AAEB109F38DC81EFB73A9FF88720F11861DF8A997280DB38AD91C765

Function 00744537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0074461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00744634

Strings

', xrefs: 0074458E

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0d74d3d4a1e1341cbeafa6ae3bfe4987483ec85f24706b5ef29e60e5ea3e72ca
Instruction ID: bc28a42118f61eba283b933808722b5daf1cdc8c679377cf2e2f4167ce5a022a
Opcode Fuzzy Hash: 0d74d3d4a1e1341cbeafa6ae3bfe4987483ec85f24706b5ef29e60e5ea3e72ca
Instruction Fuzzy Hash: 683136B4A0120A9FDF14CFA9C981BDABBB5FF09300F11406AE904AB381D774A951DF90

Function 007431EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0074327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00743287

Strings

Combobox, xrefs: 00743249

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 98e047642713f3c924bbb0a71bed32f9fffb99dc9e200b2c2fc5cf20664b27d3
Instruction ID: e3f26c7c5ff7ebb897440e1235813267033e130c049f3e2042cb25fdb6a08eae
Opcode Fuzzy Hash: 98e047642713f3c924bbb0a71bed32f9fffb99dc9e200b2c2fc5cf20664b27d3
Instruction Fuzzy Hash: EC11B271300208BFFF259E54DC85EBB376AFB953A4F104129F91897290D7B99D518760

Function 00743710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 006B600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006B604C
Part of subcall function 006B600E: GetStockObject.GDI32(00000011), ref: 006B6060
Part of subcall function 006B600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 006B606A

GetWindowRect.USER32(00000000,?), ref: 0074377A
GetSysColor.USER32(00000012), ref: 00743794

Strings

static, xrefs: 00743757

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 740bf5e863857d2f7ebcb1f81dfc903075ffd4e481751904b70fed1296781d0b
Instruction ID: 23c2713db3a88c90529d8ca0ec84d5fa40b4d61cbd8e851acd1e255f19f7b8a0
Opcode Fuzzy Hash: 740bf5e863857d2f7ebcb1f81dfc903075ffd4e481751904b70fed1296781d0b
Instruction Fuzzy Hash: D31129B2610209AFDB01DFA8CC46AFA7BB8EB09314F004515F995E2250D739E8519B50

Function 0072CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0072CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0072CDA6

Strings

<local>, xrefs: 0072CD66

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: d916f27bc88ff450df5348ecacb0e3d53a7560da535cdeefe731293c47a52e91
Instruction ID: 117e4fcd77672dd1571c883accc5baf3cd8495700ec130cf42200a803b0d8a91
Opcode Fuzzy Hash: d916f27bc88ff450df5348ecacb0e3d53a7560da535cdeefe731293c47a52e91
Instruction Fuzzy Hash: 1911C6753056317AD7364B669C45EFBBE6CEF237A4F004226B10983180D7789845D6F0

Function 00743429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007434AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007434BA

Strings

edit, xrefs: 0074348F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 747e606118c662ead5f21dd137dd8b4d24570863844d5075eebd044cef76e4f9
Instruction ID: 572df542c9e519475d3e8ceb7bcbee76de60757557a85dab59337bbd3349556b
Opcode Fuzzy Hash: 747e606118c662ead5f21dd137dd8b4d24570863844d5075eebd044cef76e4f9
Instruction Fuzzy Hash: 4911CE71200248AFEB528E68DC44AFB376AEF15374F608324F968931E0C739EC919B64

Function 00716C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00716CB6
_wcslen.LIBCMT ref: 00716CC2

Strings

STOP, xrefs: 00716CBC, 00716CC1

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: d0943e978cdb8d0774c5ff5efd39c10170cadff2d05ee69d1d94ef64cb9d5a7c
Instruction ID: 8d6ab65dbf2283e22bd8757de6d3daad6dea4ef3368f9011c3124fab41c68ad3
Opcode Fuzzy Hash: d0943e978cdb8d0774c5ff5efd39c10170cadff2d05ee69d1d94ef64cb9d5a7c
Instruction Fuzzy Hash: 3A01C432B005268BCB21AFBDDC909FF77B5EA617107500929E852961D0EB39E980C7A0

Function 00711CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00711D4C

Strings

ComboBox, xrefs: 00711CEB
ListBox, xrefs: 00711D16

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 3959537b629a2537abc11ba282270cf3dd5889f3587f410a69c7d7620b4b7908
Instruction ID: 798159bfed9eae1ddc64c95605a0c29cada89cdcc4ce5845f6fef248fdd0d8e3
Opcode Fuzzy Hash: 3959537b629a2537abc11ba282270cf3dd5889f3587f410a69c7d7620b4b7908
Instruction Fuzzy Hash: 040128B1701218AB8B08EFA8DC55CFE7779EB02350B500919F9725B2D1EA385988C770

Function 00711BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00711C46

Strings

ComboBox, xrefs: 00711BE5
ListBox, xrefs: 00711C10

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 104342efc0b900ee2000cd730e980d5cd63b00dd9d0c407b543be1895e0e6ff0
Instruction ID: a2c82ad96f38ecd333182d9dfef2e8cdaff99fd5d619cabe404d54e37f30bce5
Opcode Fuzzy Hash: 104342efc0b900ee2000cd730e980d5cd63b00dd9d0c407b543be1895e0e6ff0
Instruction Fuzzy Hash: 9101F7B5781108A7CF08EF94C951DFF77B89B12340F500419AA16672C1EA289E8887F5

Function 00711C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00711CC8

Strings

ComboBox, xrefs: 00711C69
ListBox, xrefs: 00711C94

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cff864fcbd80918889e09a2ae58e9e51380aee5c40f98f6812f739cfb55a7117
Instruction ID: ad4c3b1e87b917d267962e732f65359394a0fa32eed462034af28be4c89145f2
Opcode Fuzzy Hash: cff864fcbd80918889e09a2ae58e9e51380aee5c40f98f6812f739cfb55a7117
Instruction Fuzzy Hash: C101D6F568111867CF04EFA8CA41EFF77A89B12380F540419BA06772C1EA689F88C7F5

Function 006CA4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006CA529

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Strings

3yp, xrefs: 006CA545, 006CA54D, 006CA552
,%x, xrefs: 006CA509

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%x$3yp
API String ID: 2551934079-2889311038
Opcode ID: dc48f5cc4255deb78e24b7f95670392888928fb9f8f745736deb4bf589fb811b
Instruction ID: fd711dd4a796c346e99a2af753f519ebe854cc69f11b7ec48b612937d38cbdf0
Opcode Fuzzy Hash: dc48f5cc4255deb78e24b7f95670392888928fb9f8f745736deb4bf589fb811b
Instruction Fuzzy Hash: 93012431A8021897C504F3E89C57FBD3366DB04714F90806CF601573C2DE549D428B9A

Function 00711D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006B9CB3: _wcslen.LIBCMT ref: 006B9CBD

Part of subcall function 00713CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00713CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00711DD3

Strings

ComboBox, xrefs: 00711D75
ListBox, xrefs: 00711DA0

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0c34d8a0e86cbc75f878a559a088d5e6ea501dfe898067ac1c6b2618622b0b1f
Instruction ID: 8da0d0356d02f3196a1d0d5500790874686197fab496cf1b8ae800e1e8a71ed6
Opcode Fuzzy Hash: 0c34d8a0e86cbc75f878a559a088d5e6ea501dfe898067ac1c6b2618622b0b1f
Instruction Fuzzy Hash: 6BF02DB1B4121867CB04F7A8DC51FFF7778AB02740F440D19B962672C1EB68594883B4

Function 00748172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00783018,0078305C), ref: 007481BF
CloseHandle.KERNEL32 ref: 007481D1

Strings

\0x, xrefs: 0074818A

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0x
API String ID: 3712363035-461357371
Opcode ID: 95f75288e2dc42d1478353055180f943d66334a98913096b8bb7cc40f44097a2
Instruction ID: 877d899ccf4036572ac7d4a99037a8459d0dfc444609c1beea961de2b7fa005e
Opcode Fuzzy Hash: 95f75288e2dc42d1478353055180f943d66334a98913096b8bb7cc40f44097a2
Instruction Fuzzy Hash: C5F054B1680304BAF2606B69AC45F773A5DDB05B54F108426BB08D51A1D67E9A0093BD

Function 0073747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00737493
_wcslen.LIBCMT ref: 007374B9

Strings

3, 3, 16, 1, xrefs: 00737483

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: f45031534be1af5a68a1e65e2d495474e0c3d0961bfaadae1804cff3e6076cd6
Instruction ID: 360d39f43f858df81b4870cf2fd196b8e7e556e98f2db8bbf1e44a812154d2e3
Opcode Fuzzy Hash: f45031534be1af5a68a1e65e2d495474e0c3d0961bfaadae1804cff3e6076cd6
Instruction Fuzzy Hash: 8CE02B826043A061A279137A9CC197F578ACFC9790B10182FF9C5C6367EEA89D91D3E4

Function 00710B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00710B23

Strings

Error allocating memory., xrefs: 00710B1C
AutoIt, xrefs: 00710B17

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 9667ff4adb587779ef2f75dc67342c378251e5b95e77e6c8d8c520ac7c3247a1
Instruction ID: c1035ce349ee6a431ce7d1d75bb0545d7a402b451510614c768ff913ad40dce2
Opcode Fuzzy Hash: 9667ff4adb587779ef2f75dc67342c378251e5b95e77e6c8d8c520ac7c3247a1
Instruction Fuzzy Hash: 03E0927128531837D2913794AC03FD97B86CF05B50F10442EF748555C38BE5689046ED

Function 006D0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 006CF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006D0D71,?,?,?,006B100A), ref: 006CF7CE

IsDebuggerPresent.KERNEL32(?,?,?,006B100A), ref: 006D0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,006B100A), ref: 006D0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006D0D7F

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: eaccf5bd93a6828029516516ff45bed6185574a28787e02ab76278a9bbe72c31
Instruction ID: d0fc6e27288e6cf2a14ba077feebf8c9e7bc9274ccbbab2f33bb3c6f1c5fd561
Opcode Fuzzy Hash: eaccf5bd93a6828029516516ff45bed6185574a28787e02ab76278a9bbe72c31
Instruction Fuzzy Hash: 7EE06DB46003118BE3A0AFB8E8047827BE6BF04741F00892FE482C6751DBF8E4448BA5

Function 006CE398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006CE3D5

Strings

8%x, xrefs: 006CE3CA
0%x, xrefs: 006CE3B5

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%x$8%x
API String ID: 1385522511-415883279
Opcode ID: 9c018a40a1998f8330142128940fc285b35a0655d2b05371a03d063cc9904108
Instruction ID: ec3e1ba3f0825dc9d757712fe2247146231e5cb59e620d88b5a0e93e5ac6af8c
Opcode Fuzzy Hash: 9c018a40a1998f8330142128940fc285b35a0655d2b05371a03d063cc9904108
Instruction Fuzzy Hash: 8CE026318D8990CBCA04A798B85CFA833B7EB0A321B2041FDE006876D3DB393943874C

Function 00723017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0072302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00723044

Strings

aut, xrefs: 00723038

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: edf2a9920c037e915d76ce04af241efb504f6c20812be43801251fe8023d4654
Instruction ID: 46f4615d314129eea6799226db1870f02237e7ee7ac774325b91f63b8c7086a4
Opcode Fuzzy Hash: edf2a9920c037e915d76ce04af241efb504f6c20812be43801251fe8023d4654
Instruction Fuzzy Hash: 5DD05EB654132867DA60A7A4AC0EFCB3A6CEB05750F0042A2B655E6091DBF89984CAD8

Function 0070D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0070D220

Strings

X64, xrefs: 0070D2A8
%.3d, xrefs: 0070D22B

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 9e4b403e8397f2418929a7dd3948dd7087ce7664625d736b4219be46307fca8e
Instruction ID: 5267befdfbc92bcc266b6d4e456e7f7d353bd9e558c99fbfe81d7d24db2e3449
Opcode Fuzzy Hash: 9e4b403e8397f2418929a7dd3948dd7087ce7664625d736b4219be46307fca8e
Instruction Fuzzy Hash: D2D012A1809318EACBA097D0CC49DB9B3FDFB08341F508566F90A92080D76CCD08AB65

Function 00742356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0074236C
PostMessageW.USER32(00000000), ref: 00742373

Part of subcall function 0071E97B: Sleep.KERNEL32 ref: 0071E9F3

Strings

Shell_TrayWnd, xrefs: 00742365

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 05ed3bf375ead76cd3cb654722000cad3d8da4fa4d522edd1ccf89fdcb98116b
Instruction ID: bd3ea0114958b268b2bd52d3ed6c53fc82e164f916ea171d7a60dcba574a09ac
Opcode Fuzzy Hash: 05ed3bf375ead76cd3cb654722000cad3d8da4fa4d522edd1ccf89fdcb98116b
Instruction Fuzzy Hash: 0FD0A976382300BAE6A8A3309C0FFCAA6149B02B00F0089127706AA0D0CAA8B8008A48

Function 00742322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0074232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0074233F

Part of subcall function 0071E97B: Sleep.KERNEL32 ref: 0071E9F3

Strings

Shell_TrayWnd, xrefs: 00742325

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1cf72bca060485f80bd38a5bbb67b0ef29dd70e929e59b348aa50c18b543f509
Instruction ID: 15381b4803fbf9282a30b558dc54feca417c9961b3f413c58cfbc5792bccf25c
Opcode Fuzzy Hash: 1cf72bca060485f80bd38a5bbb67b0ef29dd70e929e59b348aa50c18b543f509
Instruction Fuzzy Hash: F6D0227A381300B7E6A8B330DC0FFCABA149B01B00F00C913770AAA0D0CAF8B800CA48

Function 006EBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 006EBE93
GetLastError.KERNEL32 ref: 006EBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006EBEFC

Memory Dump Source

Source File: 00000000.00000002.1314030859.00000000006B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006B0000, based on PE: true

Associated: 00000000.00000002.1314007009.00000000006B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.000000000074C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314138602.0000000000772000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314205260.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1314240106.0000000000784000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6b0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0f8f1f9521d0148104d8dc930527798a7a4ada707e59f2d13b0fdcf541389cc1
Instruction ID: 5d6206b32af7b5aa28c9b50f343b3bf2f085562192ecaeb1110c0c0889a0c4ac
Opcode Fuzzy Hash: 0f8f1f9521d0148104d8dc930527798a7a4ada707e59f2d13b0fdcf541389cc1
Instruction Fuzzy Hash: B841E734602386AFCF218FA6CC44AFB7BA6AF41350F149169F959573A1DB308D01CB65

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.65.91 151.101.65.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000013.00000003.1432961949.000001B4FB89A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: +www.facebook.com. equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1428539857.000001B4FB0B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379952714.000001B4F706F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1447610355.000001B4FB760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1427504918.000001B4FB75E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1379616977.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1383517271.000001B4F183D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429807463.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1379616977.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1383517271.000001B4F183D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429807463.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1428539857.000001B4FB0B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1457149991.000001B4F0188000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1476366646.000001B4F0AE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1447610355.000001B4FB760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1427504918.000001B4FB75E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1470317198.000001B4F73D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324230619.000001B4F73DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478455118.000001B4F73DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1470317198.000001B4F73D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1324230619.000001B4F73DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478455118.000001B4F73DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1324958412.000001B4F0C74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379616977.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1383517271.000001B4F183D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1379616977.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1383517271.000001B4F183D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1429807463.000001B4F70DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3106403772.0000025B7440C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3106403772.0000025B7440C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3106403772.0000025B7440C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1483542432.000001B4F6E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1452593401.000001B4F6E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1483542432.000001B4F6E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1452593401.000001B4F6E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000003.1483542432.000001B4F6E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475907749.000001B4F1198000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1452593401.000001B4F6E1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1427504918.000001B4FB74A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1447645586.000001B4FB74F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1428539857.000001B4FB0B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1457149991.000001B4F0188000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1379555009.000001B4FA7F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1432961949.000001B4FB89A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comB equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1455597459.000001B4F185A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1447610355.000001B4FB760000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1427504918.000001B4FB75E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1379555009.000001B4FA7F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1480191460.000001B4F0178000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1457813555.000001B4F0175000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1476366646.000001B4F0AC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49765 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.65.91:443 -> 192.168.2.7:49808 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49888 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49889 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49888 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dffbd27d-ffd0-41c5-b906-1a25fbf1be66.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_dffbd27d-ffd0-41c5-b906-1a25fbf1be66.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9GMPOC7MVGD0Z2FOIK2A.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PUI2JXKGHBW0QKK9KTWH.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre