Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546541
MD5:	e79f27ab2a69921bb110a37574d7b139
SHA1:	ae5a3c3d0602c608d4bed3331cce90dfec513451
SHA256:	3b6c154cb62e1d8797b300ec8615f3cdfb692f5a31b3f6ab5b66278549332d4d
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E79F27AB2A69921BB110A37574D7B139)

taskkill.exe (PID: 7496 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7632 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7696 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7760 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7824 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7880 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7912 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7928 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8164 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffa93a7b-3b91-4bfd-9fb7-65d32f0039f4} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 2794d670310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3552 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -parentBuildID 20230927232528 -prefsHandle 3844 -prefMapHandle 3840 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9f37f9f-e46f-48bd-9f0b-fafb995ee8cf} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 2795e768d10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7832 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3360 -prefMapHandle 5084 -prefsLen 33464 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {730b96e6-bfd9-4534-98b2-3f8e5f4bb17b} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 279614bcb10 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7480	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-01T05:02:29.888971+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49739	TCP
2024-11-01T05:03:08.908777+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.8	49757	TCP

Code function: 0_2_006AEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006AED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_006AED6A

Source: C:\Users\user\Desktop\file.exe

0_2_006AEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0069AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0069AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006C9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_006C9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d1624955-0
Source: file.exe, 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_79d507a4-6
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_131e7a2c-e
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_04ea1867-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001609BC7B637 NtQuerySystemInformation,		18_2_000001609BC7B637
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001609BC72532 NtQuerySystemInformation,		18_2_000001609BC72532

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0069D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0069D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00691201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00691201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0069E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0069E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063BF40	0_2_0063BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00638060	0_2_00638060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A2046	0_2_006A2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00698298	0_2_00698298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066E4FF	0_2_0066E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066676B	0_2_0066676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C4873	0_2_006C4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0063CAF0	0_2_0063CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065CAA0	0_2_0065CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064CC39	0_2_0064CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00666DD9	0_2_00666DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064D07D	0_2_0064D07D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064B119	0_2_0064B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006391C0	0_2_006391C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00651394	0_2_00651394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00651706	0_2_00651706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065781B	0_2_0065781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064997D	0_2_0064997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00637920	0_2_00637920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006519B0	0_2_006519B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00657A4A	0_2_00657A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00651C77	0_2_00651C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00657CA7	0_2_00657CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006BBE44	0_2_006BBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00669EEE	0_2_00669EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00651F32	0_2_00651F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001609BC7B637	18_2_000001609BC7B637
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001609BC72532	18_2_000001609BC72532
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001609BC72572	18_2_000001609BC72572
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000001609BC72C5C	18_2_000001609BC72C5C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00639CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0064F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00650A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A37B5 GetLastError,FormatMessageW,

0_2_006A37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006910BF AdjustTokenPrivileges,CloseHandle,		0_2_006910BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006916C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006916C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006A51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0069D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0069D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_006A648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006342A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_006342A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7640:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.1633971138.000002796605D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584316828.00000279619DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1579343019.0000027966089000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.1633971138.000002796605D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.1633971138.000002796605D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.1633971138.000002796605D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.1583601957.0000027961C85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1550412804.0000027961C85000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.1633971138.000002796605D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.1623343196.000002795F3AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1609520068.000002795F3AF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE database( name TEXT PRIMARY KEY, origin TEXT NOT NULL, version INTEGER NOT NULL DEFAULT 0, last_vacuum_time INTEGER NOT NULL DEFAULT 0, last_analyze_time INTEGER NOT NULL DEFAULT 0, last_vacuum_size INTEGER NOT NULL DEFAULT 0) WITHOUT ROWIDp;_y
Source: firefox.exe, 0000000E.00000003.1633971138.000002796605D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.1633971138.000002796605D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.1633971138.000002796605D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.1633971138.000002796605D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 47%
Source: file.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffa93a7b-3b91-4bfd-9fb7-65d32f0039f4} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 2794d670310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -parentBuildID 20230927232528 -prefsHandle 3844 -prefMapHandle 3840 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9f37f9f-e46f-48bd-9f0b-fafb995ee8cf} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 2795e768d10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3360 -prefMapHandle 5084 -prefsLen 33464 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {730b96e6-bfd9-4534-98b2-3f8e5f4bb17b} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 279614bcb10 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffa93a7b-3b91-4bfd-9fb7-65d32f0039f4} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 2794d670310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -parentBuildID 20230927232528 -prefsHandle 3844 -prefMapHandle 3840 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9f37f9f-e46f-48bd-9f0b-fafb995ee8cf} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 2795e768d10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3360 -prefMapHandle 5084 -prefsLen 33464 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {730b96e6-bfd9-4534-98b2-3f8e5f4bb17b} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 279614bcb10 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: crypt32.pdblast-pb-context-exiting source: firefox.exe, 0000000E.00000003.1548949597.00000279697B9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wininet.pdb source: firefox.exe, 0000000E.00000003.1549285150.000002796975B000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: bcrypt.pdb source: firefox.exe, 0000000E.00000003.1548949597.00000279697B9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000E.00000003.1551345005.000002795D0A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1547306735.000002795D0A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000E.00000003.1551345005.000002795D0A2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1547306735.000002795D0A3000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006342DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00650A76 push ecx; ret

0_2_00650A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0064F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006C1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_006C1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96324

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001609BC7B637 rdtsc

18_2_000001609BC7B637

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0069DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066C2A2 FindFirstFileExW,	0_2_0066C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A68EE FindFirstFileW,FindClose,	0_2_006A68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_006A698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0069D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0069D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0069D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006A9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006A979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_006A9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006A5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_006A5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006342DE

Source: firefox.exe, 00000010.00000002.2669616755.0000022B22E0A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2667022406.000001609B29A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2671872372.000001609BB60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2667195792.000001546124A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.2673187373.0000022B23212000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000013.00000002.2672088198.0000015461680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT%
Source: firefox.exe, 00000010.00000002.2673951819.0000022B23300000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2671872372.000001609BB60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000001609BC7B637 rdtsc

18_2_000001609BC7B637

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006AEAA2 BlockInput,

0_2_006AEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00662622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00662622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006342DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00654CE8 mov eax, dword ptr fs:[00000030h]

0_2_00654CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00690B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00690B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00662622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00662622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0065083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006509D5 SetUnhandledExceptionFilter,	0_2_006509D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00650C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00650C21

Source: C:\Users\user\Desktop\file.exe

0_2_00691201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00672BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00672BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0069B226 SendInput,keybd_event,

0_2_0069B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006B22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006B22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00690B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00691663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00691663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 0000000E.00000003.1537810472.0000027967A01000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00650698 cpuid

0_2_00650698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006A8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_006A8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0068D27A GetUserNameW,

0_2_0068D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0066B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0066B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006342DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_006342DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7480, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7480, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_006B1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006B1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_006B1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	47%	ReversingLabs	Win32.Trojan.CredentialFlusher
file.exe	42%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
example.org	0%	Virustotal	Browse
star-mini.c10r.facebook.com	0%	Virustotal	Browse
prod.balrog.prod.cloudops.mozgcp.net	0%	Virustotal	Browse
prod.classify-client.prod.webservices.mozgcp.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	0%	URL Reputation	safe
http://detectportal.firefox.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	0%	URL Reputation	safe
https://merino.services.mozilla.com/api/v1/suggest	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema.	0%	URL Reputation	safe
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	0%	URL Reputation	safe
https://spocs.getpocket.com/spocs	0%	URL Reputation	safe
https://shavar.services.mozilla.com	0%	URL Reputation	safe
https://completion.amazon.com/search/complete?q=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	0%	URL Reputation	safe
https://ads.stickyadstv.com/firefox-etp	0%	URL Reputation	safe
https://identity.mozilla.com/ids/ecosystem_telemetryU	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	0%	URL Reputation	safe
https://monitor.firefox.com/breach-details/	0%	URL Reputation	safe
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/addon/	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	0%	URL Reputation	safe
https://tracking-protection-issues.herokuapp.com/new	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	0%	URL Reputation	safe
https://content-signature-2.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2020-12/schema/=	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	0%	URL Reputation	safe
https://api.accounts.firefox.com/v1	0%	URL Reputation	safe
https://ok.ru/	0%	URL Reputation	safe
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	0%	URL Reputation	safe
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	0%	URL Reputation	safe
https://MD8.mozilla.org/1/m	0%	URL Reputation	safe
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	0%	URL Reputation	safe
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	0%	URL Reputation	safe
https://bugzilla.mo	0%	URL Reputation	safe
https://mitmdetection.services.mozilla.com/	0%	URL Reputation	safe
https://static.adsafeprotected.com/firefox-etp-js	0%	URL Reputation	safe
https://shavar.services.mozilla.com/	0%	URL Reputation	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	URL Reputation	safe
https://spocs.getpocket.com/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	0%	URL Reputation	safe
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	0%	URL Reputation	safe
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	0%	URL Reputation	safe
https://monitor.firefox.com/user/breach-stats?includeResolved=true	0%	URL Reputation	safe
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.0/	0%	URL Reputation	safe
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	0%	URL Reputation	safe
https://monitor.firefox.com/user/dashboard	0%	URL Reputation	safe
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	0%	URL Reputation	safe
https://monitor.firefox.com/about	0%	URL Reputation	safe
https://account.bellmedia.c	0%	URL Reputation	safe
https://login.microsoftonline.com	0%	URL Reputation	safe
https://coverage.mozilla.org	0%	URL Reputation	safe
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
https://www.zhihu.com/	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://a9.com/-/spec/opensearch/1.1/	0%	URL Reputation	safe
https://infra.spec.whatwg.org/#ascii-whitespace	0%	URL Reputation	safe
https://blocked.cdn.mozilla.net/	0%	URL Reputation	safe
https://json-schema.org/draft/2019-09/schema	0%	URL Reputation	safe
https://duckduckgo.com/?t=ffab&q=	0%	URL Reputation	safe
https://profiler.firefox.com	0%	URL Reputation	safe
https://outlook.live.com/default.aspx?rru=compose&to=%s	0%	URL Reputation	safe
https://identity.mozilla.com/apps/relay	0%	URL Reputation	safe
https://mathiasbynens.be/	0%	URL Reputation	safe
https://mozilla.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	0%	URL Reputation	safe
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	0%	URL Reputation	safe
https://contile.services.mozilla.com/v1/tiles	0%	URL Reputation	safe
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	0%	URL Reputation	safe
https://monitor.firefox.com/user/preferences	0%	URL Reputation	safe
https://screenshots.firefox.com/	0%	URL Reputation	safe
https://gpuweb.github.io/gpuweb/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
example.org	93.184.215.14	true	false	0%, Virustotal, Browse	unknown
star-mini.c10r.facebook.com	157.240.252.35	true	false	0%, Virustotal, Browse	unknown
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	0%, Virustotal, Browse	unknown
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	0%, Virustotal, Browse	unknown
twitter.com	104.244.42.65	true	false		unknown
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false		unknown
services.addons.mozilla.org	151.101.129.91	true	false		unknown
dyna.wikimedia.org	185.15.59.224	true	false		unknown
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false		unknown
contile.services.mozilla.com	34.117.188.166	true	false		unknown
youtube.com	216.58.206.46	true	false		unknown
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false		unknown
youtube-ui.l.google.com	216.58.212.174	true	false		unknown
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false		unknown
reddit.map.fastly.net	151.101.129.140	true	false		unknown
ipv4only.arpa	192.0.0.171	true	false		unknown
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false		unknown
push.services.mozilla.com	34.107.243.93	true	false		unknown
normandy-cdn.services.mozilla.com	35.201.103.21	true	false		unknown
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false		unknown
www.reddit.com	unknown	unknown	false		unknown
spocs.getpocket.com	unknown	unknown	false		unknown
content-signature-2.cdn.mozilla.net	unknown	unknown	false		unknown
support.mozilla.org	unknown	unknown	false		unknown
firefox.settings.services.mozilla.com	unknown	unknown	false		unknown
www.youtube.com	unknown	unknown	false		unknown
www.facebook.com	unknown	unknown	false		unknown
detectportal.firefox.com	unknown	unknown	false		unknown
normandy.cdn.mozilla.net	unknown	unknown	false		unknown
shavar.services.mozilla.com	unknown	unknown	false		unknown
www.wikipedia.org	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.1584918089.0000027960F90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2669289175.000001609B6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2668648240.00000154615C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.1612346558.000002795EF45000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1561519255.0000027965A27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000010.00000002.2670266870.0000022B23172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2669289175.000001609B686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2668648240.0000015461587000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.1596707093.00000279659E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1619240074.00000279659E5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1590634797.0000027965679000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000E.00000003.1550146494.000002796544F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1583161845.000002796544F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 0000000E.00000003.1591512303.000002796185B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590034801.000002796185B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1589500769.000002796185B000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.1613106697.000002795EB6C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1581065052.000002796566B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467353344.000002795D45A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467708916.000002795D477000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467104068.000002795D43C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.1612624187.000002795EBAE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.1634010424.000002796601B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.1582880596.0000027965484000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549797560.0000027965484000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1501447215.000002795EE71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1499890875.000002795EE71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1613614749.000002795E9D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1464430055.000002795D200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466803165.000002795D41F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467353344.000002795D45A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467708916.000002795D477000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1500747541.000002795EE71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467104068.000002795D43C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.msn.com	firefox.exe, 0000000E.00000003.1587271625.00000279600AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1620779667.00000279600B2000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1464430055.000002795D200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466803165.000002795D41F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467353344.000002795D45A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467708916.000002795D477000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467104068.000002795D43C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 0000000E.00000003.1495565215.000002795E866000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/	firefox.exe, 0000000E.00000003.1619028349.000002796808F000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.1580244149.00000279657FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.1596707093.00000279659E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1619240074.00000279659E5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ok.ru/	firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l	firefox.exe, 0000000E.00000003.1626591126.000002795E220000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1596707093.00000279659C7000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 0000000E.00000003.1615441709.000002795E2DC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://win.mail.ru/cgi-bin/sentmsg?mailto=%s	firefox.exe, 0000000E.00000003.1577763557.000002795947D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1653507583.000002795947D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1574167746.000002795947D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.	firefox.exe, 00000010.00000002.2670266870.0000022B231E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2669289175.000001609B6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2672297688.0000015461803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false		unknown
https://www.youtube.com/	firefox.exe, 00000013.00000002.2668648240.000001546150C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.1505131082.000002795DE83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1505498336.000002795DE83000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.1622037225.000002795FAB6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.1621184968.000002795FDF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1606378007.000002795FDC4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.1597559681.000002796577F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2669289175.000001609B6C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2668648240.00000154615C8000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://127.0.0.1:	firefox.exe, 0000000E.00000003.1489096452.00000279656C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1505131082.000002795DE83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1505498336.000002795DE83000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000E.00000003.1562869569.000002795EA96000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1609520068.000002795F3AF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.1612624187.000002795EBAE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		unknown
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.1591212190.000002795F1DA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000010.00000002.2670266870.0000022B231E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2669289175.000001609B6E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2672297688.0000015461803000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	URL Reputation: safe	unknown
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.1590634797.0000027965679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1619028349.000002796808F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2669289175.000001609B612000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2668648240.0000015461513000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://youtube.com/account?=https://accounts.google.co	firefox.exe, 00000013.00000002.2671816726.0000015461670000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false		unknown
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.1582880596.0000027965484000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549797560.0000027965484000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 0000000E.00000003.1622037225.000002795FAAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1497835682.000002795ED90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1501906941.000002795EE83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1550627257.00000279695F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1579410473.000002795D404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1560027756.000002795EE85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1473799447.000002795D8E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1615001863.000002795E5C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1589432783.00000279695F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590034801.0000027961850000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1581065052.00000279656CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616557423.000002795D7A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1561519255.0000027965A18000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1473799447.000002795D8C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1593775898.000002795ED95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1473799447.000002795D8CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1588124726.000002795F9D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562869569.000002795EAEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551907004.000002795ED95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1497835682.000002795ED99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562869569.000002795EA94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590034801.0000027961840000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.1585589170.0000027960A50000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://youtube.com/	firefox.exe, 0000000E.00000003.1581065052.00000279656CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590634797.00000279656CF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.1585589170.0000027960A50000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false	URL Reputation: safe	unknown
https://www.zhihu.com/	firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1615441709.000002795E2DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1580291896.0000027965710000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1615441709.000002795E2DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1580291896.0000027965710000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 0000000E.00000003.1622037225.000002795FAAF000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1561519255.0000027965A27000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://json-schema.org/draft/2019-09/schema	firefox.exe, 0000000E.00000003.1615001863.000002795E5C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1624513511.000002795E5D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000E.00000003.1581065052.0000027965652000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://profiler.firefox.com	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1470303136.000002795AC16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1469525363.000002795AC33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1470521824.000002795AC33000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.1611936567.000002795F163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1613907443.000002795F1A3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mathiasbynens.be/	firefox.exe, 0000000E.00000003.1591512303.000002796185B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590034801.000002796185B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1589500769.000002796185B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1602848993.0000027960A7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1585589170.0000027960A7A000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.1505131082.000002795DE83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1505498336.000002795DE83000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1577763557.000002795947D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1653507583.000002795947D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1574167746.000002795947D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1470303136.000002795AC16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1469525363.000002795AC33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1470521824.000002795AC33000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.1621184968.000002795FDF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1606378007.000002795FDC4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.1615859291.000002795E267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1489096452.00000279656CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.1579343019.0000027966089000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.2669426485.0000022B22D80000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2668330820.000001609B570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2671628253.0000015461600000.00000002.10000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.1467104068.000002795D43C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/search	firefox.exe, 0000000E.00000003.1596707093.00000279659E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1466803165.000002795D41F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467353344.000002795D45A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467708916.000002795D477000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1500747541.000002795EE71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1493221846.000002795E365000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1467104068.000002795D43C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.1582880596.0000027965484000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549797560.0000027965484000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
216.58.206.46	youtube.com	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546541
Start date and time:	2024-11-01 05:01:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 41 Number of non-executed functions: 309
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.11.191.138, 54.185.230.140, 35.160.212.113, 2.22.61.56, 2.22.61.59, 142.250.185.78, 172.217.18.14, 142.250.184.202, 172.217.18.10
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, ocsp.digicert.com, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:02:20	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
services.addons.mozilla.org	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.253.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	157.240.253.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.251.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.252.35

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://my-homepagero.sa.com/exml/	Get hash	malicious	HTMLPhisher	Browse	151.101.65.229
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cc230076-38a8-472f-b173-930f501e89ad.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.179508323429888
Encrypted:	false
SSDEEP:	192:7L2b99wMXLHwcbhbVbTbfbRbObtbyEl7nMrTJA6unSrDtTkdmS1:o9bMcNhnzFSJsrq1nSrDhkdmY
MD5:	F026B4BEF6B262D77193666A7EC4F18C
SHA1:	4DB31B1712F6B74D7E9E87B6FF0A5BE50008A602
SHA-256:	6D3895201C7FFC0A45935BC1D3A4C0F237E05933AB9356CD624E5BB915DCB885
SHA-512:	01DB71EA0443C39FECD99880D9089F161F4DDC6F79523723FE97C5102C5CA641DE89790825562613DBC9ECEF2D8396F5EB078C6E3A311DB3E7FE3F5D633475D7
Malicious:	false
Preview:	{"type":"uninstall","id":"cc230076-38a8-472f-b173-930f501e89ad","creationDate":"2024-11-01T05:29:31.283Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"965729a8-84e4-4cad-a75d-ac8181902c4b","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cc230076-38a8-472f-b173-930f501e89ad.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.179508323429888
Encrypted:	false
SSDEEP:	192:7L2b99wMXLHwcbhbVbTbfbRbObtbyEl7nMrTJA6unSrDtTkdmS1:o9bMcNhnzFSJsrq1nSrDhkdmY
MD5:	F026B4BEF6B262D77193666A7EC4F18C
SHA1:	4DB31B1712F6B74D7E9E87B6FF0A5BE50008A602
SHA-256:	6D3895201C7FFC0A45935BC1D3A4C0F237E05933AB9356CD624E5BB915DCB885
SHA-512:	01DB71EA0443C39FECD99880D9089F161F4DDC6F79523723FE97C5102C5CA641DE89790825562613DBC9ECEF2D8396F5EB078C6E3A311DB3E7FE3F5D633475D7
Malicious:	false
Preview:	{"type":"uninstall","id":"cc230076-38a8-472f-b173-930f501e89ad","creationDate":"2024-11-01T05:29:31.283Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"965729a8-84e4-4cad-a75d-ac8181902c4b","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.940935277589633
Encrypted:	false
SSDEEP:	192:7LFS+O1U6OdwiOdEiVoslH5jV/ZiwBhZ08jzLNL08P:N5dimslH5jVhiwBrr
MD5:	AABF1FEBCFB5508B25328A7E1A2A43BE
SHA1:	E130A324975653B72A3B880A18DA93270F7B100B
SHA-256:	9F3F3CFAACF07DC94C2BE4B56E56B740C41F83F11AC64AEDEBDFF6E6588E65D6
SHA-512:	502D6BB69ED9499FFB8E18D48E74BB4C26D2A644490B249BC3F4E6FC06F1389F86725669D5387B5ECC174841DD58F3245D2B0C5AD380BCBC88EE90AEB4203C44
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"fbda1f9b-e03c-4207-94bb-3e5ec8a299dc","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T08:19:30.130Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cdbde02e-86fb-4899-ad8a-776106784576","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.940935277589633
Encrypted:	false
SSDEEP:	192:7LFS+O1U6OdwiOdEiVoslH5jV/ZiwBhZ08jzLNL08P:N5dimslH5jVhiwBrr
MD5:	AABF1FEBCFB5508B25328A7E1A2A43BE
SHA1:	E130A324975653B72A3B880A18DA93270F7B100B
SHA-256:	9F3F3CFAACF07DC94C2BE4B56E56B740C41F83F11AC64AEDEBDFF6E6588E65D6
SHA-512:	502D6BB69ED9499FFB8E18D48E74BB4C26D2A644490B249BC3F4E6FC06F1389F86725669D5387B5ECC174841DD58F3245D2B0C5AD380BCBC88EE90AEB4203C44
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"fbda1f9b-e03c-4207-94bb-3e5ec8a299dc","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T08:19:30.130Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cdbde02e-86fb-4899-ad8a-776106784576","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5320
Entropy (8bit):	6.6042106566953995
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMggiA:zTx2x2t0FDJ4NpkuvjdeplTMp
MD5:	E3E09D3A459131D9A796509E2B74622E
SHA1:	5EA797BF89A9F3FA6D145C5050B65A5789D26684
SHA-256:	56940DF1F209C1289E1FCBDB353AA3308581F3469325BC01584C3C8CC86E09C9
SHA-512:	7F0DA23EC0F97E0D58DB3B6DB6D2FFBAC077847B8C460F18F03CFA0611B313C6A32854E2F8904443DF257960C6FA81F4B1D19409E489488D49963962E338486F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5320
Entropy (8bit):	6.6042106566953995
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMggiA:zTx2x2t0FDJ4NpkuvjdeplTMp
MD5:	E3E09D3A459131D9A796509E2B74622E
SHA1:	5EA797BF89A9F3FA6D145C5050B65A5789D26684
SHA-256:	56940DF1F209C1289E1FCBDB353AA3308581F3469325BC01584C3C8CC86E09C9
SHA-512:	7F0DA23EC0F97E0D58DB3B6DB6D2FFBAC077847B8C460F18F03CFA0611B313C6A32854E2F8904443DF257960C6FA81F4B1D19409E489488D49963962E338486F
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185849187264327
Encrypted:	false
SSDEEP:	768:0I4nvfwkXU4y6f4k4oB4a4IPN84I4/4uw4J424qF4g:0NPa45
MD5:	6C3BE83A836C11F0781A28C5C276611E
SHA1:	826B42D0E82A04A59A96150A478A9C63172B7506
SHA-256:	FB38EDAD3460F248967331080F6C398248DBC215D16E4BAB3E31CE260E1176B7
SHA-512:	EA67C9DF14F00A17C3044EE63DAFA9E7FA9A4B0F04A4D98CC19F2C9794D6D9A215323E13AD354AF60DE1F31288C565EE4455CFE3B9B8F2877DEF20A4151D4921
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{fc425cd7-ddd8-48c7-9e11-c0b9f650e5fa}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.185849187264327
Encrypted:	false
SSDEEP:	768:0I4nvfwkXU4y6f4k4oB4a4IPN84I4/4uw4J424qF4g:0NPa45
MD5:	6C3BE83A836C11F0781A28C5C276611E
SHA1:	826B42D0E82A04A59A96150A478A9C63172B7506
SHA-256:	FB38EDAD3460F248967331080F6C398248DBC215D16E4BAB3E31CE260E1176B7
SHA-512:	EA67C9DF14F00A17C3044EE63DAFA9E7FA9A4B0F04A4D98CC19F2C9794D6D9A215323E13AD354AF60DE1F31288C565EE4455CFE3B9B8F2877DEF20A4151D4921
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{fc425cd7-ddd8-48c7-9e11-c0b9f650e5fa}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07333090346701869
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	C1CB5CD25264D72EB12C1F915A6CB33E
SHA1:	928A5AD1A89718751503B06FEF6F64A658362788
SHA-256:	4A16DCDAB882D181A9B8684F7ECA8FC8E4AF60B3B7A951A55122367E944038E9
SHA-512:	40FD2D6C5FF758957A5D8FF634A00CB4CF2BFCF9FF53E7E5217A51AD533F380360869EAF263D1F0ACB1434B01BFC012616A06D426D4E6118D540399569CEBACE
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035699946889726504
Encrypted:	false
SSDEEP:	3:GtlstFpU8KOdF3HMjd3lstFpU8KOdF3HMjCT89//alEl:GtWtDjcjd3WtDjcj489XuM
MD5:	B10D2784DC26D33DF9A49DEE72E9C6F6
SHA1:	4ADAC48B13072F7FCEB027DAA65184A3E43EEC2F
SHA-256:	0B47FFB875C096C10224DB42646DDF949BAF4033C86CEE4F846C1CADDDDD3D9E
SHA-512:	85D4B54D65907D21F0E9099EC676AC7BA8F41D1509BA54199C8EE50B45514BF78E0ACAB61E52C9ADFA3A803DB40F81B02455854930F2FFB7D6173C05B5DD1698
Malicious:	false
Preview:	..-......................)\.E./..9$.g.Rz.r$.\|..7..-......................)\.E./..9$.g.Rz.r$.\|..7........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03679008083034587
Encrypted:	false
SSDEEP:	3:Ol1PBYSBl2N6wdN/UOx8aEJ/Nmhml8XW3R2:KTBl23dNUv/Ehm93w
MD5:	E0F3DC5F0BBB8E0326E898CA097D8D0F
SHA1:	FDA2EC2C64D73CCF76D70A0FE961EFD8C6A625B1
SHA-256:	53F87117E812B88AC752435DAA4E8CE36A1083A1B0FBD676E2246E927763E84D
SHA-512:	8035921A4DF2F042B5B1230446673A7274C549AB7932903A40C1100C457BCAE8F59B5C167A7FC3BFC6A510152281BA31E4327A3B7F9AD8049A4AB3CEBDF2C5A8
Malicious:	false
Preview:	7....-...........9$.g.Rz..<..............9$.g.Rz.\)../.E................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	modified
Size (bytes):	13820
Entropy (8bit):	5.467416908374731
Encrypted:	false
SSDEEP:	192:NzqneRdIYbBp6PnmUzaXA6aR6GKWPadjn5RDNBw8dP9mSl:Nz4ekmUIzDD1rwYw0
MD5:	91CBEA790F54ED229DF52837CC1B4C54
SHA1:	5424911C59217401379DDF60279034DB8586608D
SHA-256:	37667D436EE6930BC3250A36EEA4A70DAD5D6313ED53984C01172D715C4DE119
SHA-512:	368EC3BF535CAF42C2775F583EA6537805E6B845FB15BEB8B191030FE76E75C150CD1BB5586F41FED6E636139CD67588EB2AC0347FC6AF5453F015947D2C89CE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730438941);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730438941);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730438941);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173043

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13820
Entropy (8bit):	5.467416908374731
Encrypted:	false
SSDEEP:	192:NzqneRdIYbBp6PnmUzaXA6aR6GKWPadjn5RDNBw8dP9mSl:Nz4ekmUIzDD1rwYw0
MD5:	91CBEA790F54ED229DF52837CC1B4C54
SHA1:	5424911C59217401379DDF60279034DB8586608D
SHA-256:	37667D436EE6930BC3250A36EEA4A70DAD5D6313ED53984C01172D715C4DE119
SHA-512:	368EC3BF535CAF42C2775F583EA6537805E6B845FB15BEB8B191030FE76E75C150CD1BB5586F41FED6E636139CD67588EB2AC0347FC6AF5453F015947D2C89CE
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1730438941);..user_pref("app.update.lastUpdateTime.background-update-timer", 1730438941);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1730438941);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173043

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.329366996309772
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMZjr2LXnIglG/pnxQwRlszT5sKDq03eHVY+qo+pTumamhujJvyODr:GUpOxZjr2gnR6rZ3epfyTZ4JaNIHiw
MD5:	E1C948BEBBCAAC6986FA825369AAA510
SHA1:	206EFBAD67B49E4FAF007AB8651C3500BD9F2F0C
SHA-256:	2DDB3F928D355F4999B678C587CE031EEA17FBC41964CD17A290620F802C41A1
SHA-512:	82428E077907E03BCA8F467DA160E572F2C1A398F5E752582302ECB953C388AE87A8059FB9A1FC5250D26E9FD7B9FF2F1C6AFE2C8C9C75D8D4E0F38054FC27C4
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4605be76-38a5-40fe-8ed1-2c0d5431627c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730438944897,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...890d5fc3-0c4c-4214-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P10376...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...14927,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.329366996309772
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMZjr2LXnIglG/pnxQwRlszT5sKDq03eHVY+qo+pTumamhujJvyODr:GUpOxZjr2gnR6rZ3epfyTZ4JaNIHiw
MD5:	E1C948BEBBCAAC6986FA825369AAA510
SHA1:	206EFBAD67B49E4FAF007AB8651C3500BD9F2F0C
SHA-256:	2DDB3F928D355F4999B678C587CE031EEA17FBC41964CD17A290620F802C41A1
SHA-512:	82428E077907E03BCA8F467DA160E572F2C1A398F5E752582302ECB953C388AE87A8059FB9A1FC5250D26E9FD7B9FF2F1C6AFE2C8C9C75D8D4E0F38054FC27C4
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4605be76-38a5-40fe-8ed1-2c0d5431627c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730438944897,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...890d5fc3-0c4c-4214-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P10376...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...14927,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.329366996309772
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSMZjr2LXnIglG/pnxQwRlszT5sKDq03eHVY+qo+pTumamhujJvyODr:GUpOxZjr2gnR6rZ3epfyTZ4JaNIHiw
MD5:	E1C948BEBBCAAC6986FA825369AAA510
SHA1:	206EFBAD67B49E4FAF007AB8651C3500BD9F2F0C
SHA-256:	2DDB3F928D355F4999B678C587CE031EEA17FBC41964CD17A290620F802C41A1
SHA-512:	82428E077907E03BCA8F467DA160E572F2C1A398F5E752582302ECB953C388AE87A8059FB9A1FC5250D26E9FD7B9FF2F1C6AFE2C8C9C75D8D4E0F38054FC27C4
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{4605be76-38a5-40fe-8ed1-2c0d5431627c}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1730438944897,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...890d5fc3-0c4c-4214-a93a-b8e730a022a1","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P10376...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A4a32081674711da8c0af7e7198f4a549116c7011a74775b8dc2ae1b10b859df4","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...14927,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 4, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.042811512334329
Encrypted:	false
SSDEEP:	24:JBkSldh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jkSWEUo9LXtR+JdkOnohYsl
MD5:	21235938025E2102017AC8C9748948A4
SHA1:	A1EED1C4588724A8396C95FC9923C0A33B360FF8
SHA-256:	E34B06B180E3F73DC8E441650BB7FE694A9D58E927412D6ED40B0852B784824E
SHA-512:	D334B419A2A75179C17D7F53BF65FCC132ADE03B21059F0007ACDBB08284A281D8CE1C1CC598E6A070024D0DAE158E2E9618E121342BE068E87A051FE33D6061
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.011166540261845
Encrypted:	false
SSDEEP:	48:YrSAYKDudxUQZpExB1+anOpWZOVhFu1VuWxzzcsYMsku7f86SLAVL7DV9F5FtsfH:ycKDMTEr5RXxzzcBvbw6KkjVrrc2Rn27
MD5:	843AB4E728B2C0D43083349829DC35A5
SHA1:	E04313D9092BCD3397784A7679070129F16F3FEE
SHA-256:	A2CE4311331C8636BB36BBF02C903616B38650131D7B100633B82DF88C7D2857
SHA-512:	0C6D292944D8D95DDEB6B80419A7E7DC3098BB881C2E17810F5ED0D0C4FDD249D9FDD408CA174FBB2942613D57A9779EB321B03C2C7014E94C5D88E1534E2EAF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T05:28:39.375Z","profileAgeCreated":1696493964214,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4411
Entropy (8bit):	5.011166540261845
Encrypted:	false
SSDEEP:	48:YrSAYKDudxUQZpExB1+anOpWZOVhFu1VuWxzzcsYMsku7f86SLAVL7DV9F5FtsfH:ycKDMTEr5RXxzzcBvbw6KkjVrrc2Rn27
MD5:	843AB4E728B2C0D43083349829DC35A5
SHA1:	E04313D9092BCD3397784A7679070129F16F3FEE
SHA-256:	A2CE4311331C8636BB36BBF02C903616B38650131D7B100633B82DF88C7D2857
SHA-512:	0C6D292944D8D95DDEB6B80419A7E7DC3098BB881C2E17810F5ED0D0C4FDD249D9FDD408CA174FBB2942613D57A9779EB321B03C2C7014E94C5D88E1534E2EAF
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-01T05:28:39.375Z","profileAgeCreated":1696493964214,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584656055010914
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	919'552 bytes
MD5:	e79f27ab2a69921bb110a37574d7b139
SHA1:	ae5a3c3d0602c608d4bed3331cce90dfec513451
SHA256:	3b6c154cb62e1d8797b300ec8615f3cdfb692f5a31b3f6ab5b66278549332d4d
SHA512:	6dd62c82afd48ce91bb353f9be96b8ba6f1d8e2406e689b765943328b1cb4c2faad6de32b388937b586654dfc47e3fe9e5c4ebe4b8320ed896dbbfc904a98122
SSDEEP:	12288:MqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDga/Tk:MqDEvCTbMWu7rQYlBQcBiT6rprG8abk
TLSH:	B6159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6724523C [Fri Nov 1 03:59:56 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FE5F8CCA933h
jmp 00007FE5F8CCA23Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE5F8CCA41Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FE5F8CCA3EAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FE5F8CCCFDDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FE5F8CCD028h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FE5F8CCD011h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x9c28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xde000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x9c28	0x9e00	03151362b23d6668222f6b458c49a697	False	0.31561511075949367	data	5.374025014740397	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xde000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xef0	data			1.0028765690376569
RT_GROUP_ICON	0xdd6a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xdd720	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xdd734	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xdd748	0x14	data	English	Great Britain	1.25
RT_VERSION	0xdd75c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xdd838	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-01T05:02:29.888971+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	49739	TCP
2024-11-01T05:03:08.908777+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.8	49757	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 05:02:19.292294025 CET	49711	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:19.292336941 CET	443	49711	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:19.292537928 CET	49712	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:19.292583942 CET	443	49712	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:19.292668104 CET	49713	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:19.292710066 CET	443	49713	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:19.302871943 CET	49711	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:19.302887917 CET	49713	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:19.302889109 CET	49712	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:19.308352947 CET	49711	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:19.308373928 CET	443	49711	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:19.309876919 CET	49713	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:19.309889078 CET	443	49713	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:19.311168909 CET	49712	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:19.311183929 CET	443	49712	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:19.312858105 CET	49714	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:19.317737103 CET	80	49714	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:19.327270985 CET	49714	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:19.327838898 CET	49714	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:19.332953930 CET	80	49714	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:19.515702009 CET	49716	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:19.515726089 CET	443	49716	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:19.529642105 CET	49716	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:19.531536102 CET	49716	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:19.531552076 CET	443	49716	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:19.918859005 CET	443	49711	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:19.918874979 CET	443	49711	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:19.919070005 CET	49711	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:19.923608065 CET	80	49714	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.024344921 CET	49711	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:20.024379015 CET	443	49711	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:20.024473906 CET	49711	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:20.024571896 CET	443	49711	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:20.030239105 CET	49714	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.033447027 CET	49711	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:20.035227060 CET	80	49714	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.035329103 CET	49714	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.065820932 CET	49717	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.065882921 CET	443	49717	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.069683075 CET	49718	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:20.069693089 CET	443	49718	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:20.071803093 CET	49717	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.072043896 CET	49718	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:20.073487043 CET	49717	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.073504925 CET	443	49717	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.073669910 CET	49718	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:20.073683977 CET	443	49718	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:20.150916100 CET	443	49716	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.150930882 CET	443	49716	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.151056051 CET	49716	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.156307936 CET	49716	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.156317949 CET	443	49716	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.156387091 CET	49716	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.156459093 CET	443	49716	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.156574011 CET	49716	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.179712057 CET	443	49712	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.179728031 CET	443	49712	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.179795980 CET	49712	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.180438042 CET	443	49712	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.180702925 CET	49712	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.184343100 CET	49712	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.184355021 CET	443	49712	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.184436083 CET	49712	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.184525967 CET	443	49712	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.184637070 CET	49712	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.190239906 CET	443	49713	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.190254927 CET	443	49713	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.190315962 CET	49713	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.190915108 CET	443	49713	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.191178083 CET	49713	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.194787025 CET	49713	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.194801092 CET	443	49713	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.194909096 CET	49713	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.194945097 CET	443	49713	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.195292950 CET	49719	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.195327044 CET	443	49719	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.195353985 CET	49713	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.195539951 CET	49719	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.196962118 CET	49719	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:20.196973085 CET	443	49719	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:20.234879017 CET	49720	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.234975100 CET	49721	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.236424923 CET	49722	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.236447096 CET	443	49722	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:20.236691952 CET	49722	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.236870050 CET	49722	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.236884117 CET	443	49722	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:20.239756107 CET	80	49720	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.239769936 CET	80	49721	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.239820957 CET	49720	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.239959002 CET	49720	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.240052938 CET	49721	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.240217924 CET	49721	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.244719028 CET	80	49720	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.244988918 CET	80	49721	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.674118042 CET	443	49717	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.674201965 CET	49717	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.679388046 CET	49717	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.679404020 CET	443	49717	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.679487944 CET	49717	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.679548025 CET	443	49717	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.679641008 CET	49717	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.680835009 CET	443	49718	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:20.689158916 CET	49718	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:20.691905975 CET	49718	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:20.691921949 CET	443	49718	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:20.692208052 CET	443	49718	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:20.695264101 CET	49718	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:20.695349932 CET	49718	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:20.695413113 CET	443	49718	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:20.695506096 CET	49718	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:20.823030949 CET	49723	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.823077917 CET	443	49723	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.824080944 CET	49723	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.825581074 CET	49723	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:20.825601101 CET	443	49723	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:20.835942984 CET	80	49720	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.836075068 CET	80	49721	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.836260080 CET	49720	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.836276054 CET	49721	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.841381073 CET	80	49720	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.841434002 CET	49720	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.841880083 CET	80	49721	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.841922998 CET	49721	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.862582922 CET	443	49722	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:20.862672091 CET	49722	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.866008043 CET	49722	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.866013050 CET	443	49722	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:20.866214991 CET	443	49722	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:20.869057894 CET	49722	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.869178057 CET	49722	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.869190931 CET	443	49722	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:20.869328976 CET	49722	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.869570971 CET	49724	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.869590998 CET	443	49724	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:20.869705915 CET	49724	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.869865894 CET	49724	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:20.869875908 CET	443	49724	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:20.894875050 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.899677992 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:20.899741888 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.899884939 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:20.904612064 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:21.064420938 CET	443	49719	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:21.064496040 CET	49719	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:21.065025091 CET	443	49719	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:21.065507889 CET	49719	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:21.069379091 CET	49719	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:21.069395065 CET	443	49719	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:21.069475889 CET	49719	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:21.069535017 CET	443	49719	216.58.206.46	192.168.2.8
Nov 1, 2024 05:02:21.069645882 CET	49719	443	192.168.2.8	216.58.206.46
Nov 1, 2024 05:02:21.196038961 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:21.200890064 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:21.201056957 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:21.201198101 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:21.205979109 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:21.423784018 CET	443	49723	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:21.428109884 CET	49723	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:21.432652950 CET	49723	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:21.432674885 CET	443	49723	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:21.432738066 CET	49723	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:21.432857990 CET	443	49723	34.117.188.166	192.168.2.8
Nov 1, 2024 05:02:21.432904005 CET	49723	443	192.168.2.8	34.117.188.166
Nov 1, 2024 05:02:21.476489067 CET	443	49724	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:21.476727009 CET	49724	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:21.480035067 CET	49724	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:21.480041981 CET	443	49724	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:21.480691910 CET	443	49724	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:21.483187914 CET	49724	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:21.483273983 CET	49724	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:21.483350992 CET	443	49724	34.160.144.191	192.168.2.8
Nov 1, 2024 05:02:21.483680964 CET	49724	443	192.168.2.8	34.160.144.191
Nov 1, 2024 05:02:21.516527891 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:21.591770887 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:21.645066023 CET	49728	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:21.645088911 CET	443	49728	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:21.645299911 CET	49728	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:21.646733999 CET	49728	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:21.646747112 CET	443	49728	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:21.711622953 CET	49730	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:21.711724043 CET	443	49730	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:21.720572948 CET	49730	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:21.722232103 CET	49730	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:21.722269058 CET	443	49730	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:21.737890005 CET	49731	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:21.737924099 CET	443	49731	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:21.740581036 CET	49731	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:21.740705967 CET	49731	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:21.740722895 CET	443	49731	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:21.741971970 CET	49732	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:21.741985083 CET	443	49732	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:21.742371082 CET	49732	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:21.746758938 CET	49732	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:21.746771097 CET	443	49732	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:21.796144962 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:21.849328041 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:22.247447014 CET	443	49728	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:22.259337902 CET	443	49728	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:22.268523932 CET	49728	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:22.273849010 CET	49728	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:22.317096949 CET	49728	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:22.317114115 CET	443	49728	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:22.317260981 CET	443	49728	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:22.319901943 CET	49728	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:22.319907904 CET	443	49728	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:22.323349953 CET	49728	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:22.324561119 CET	443	49730	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:22.324574947 CET	443	49730	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:22.326183081 CET	49730	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:22.339781046 CET	443	49731	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:22.347170115 CET	443	49732	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:22.354643106 CET	49731	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:22.354821920 CET	49732	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:22.370234966 CET	49731	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:22.370255947 CET	443	49731	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:22.370460987 CET	443	49731	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:22.372503042 CET	49730	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:22.372545958 CET	443	49730	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:22.372575998 CET	49730	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:22.372692108 CET	443	49730	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:22.374772072 CET	49730	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:22.412636995 CET	49732	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:22.412662029 CET	443	49732	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:22.412724018 CET	49732	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:22.412796021 CET	443	49732	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:22.413080931 CET	49732	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:22.415020943 CET	49731	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:22.415134907 CET	49731	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:22.415174007 CET	443	49731	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:22.416373014 CET	49731	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:24.175928116 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:24.180759907 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:24.188313007 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:24.193172932 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:24.210833073 CET	49734	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.210867882 CET	443	49734	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.211282015 CET	49734	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.212699890 CET	49734	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.212718964 CET	443	49734	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.226110935 CET	49735	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:24.226136923 CET	443	49735	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:24.226357937 CET	49735	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:24.226546049 CET	49735	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:24.226555109 CET	443	49735	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:24.304517984 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:24.314352036 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:24.322508097 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:24.327249050 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:24.372922897 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:24.451155901 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:24.493907928 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:24.811094046 CET	443	49734	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.814630985 CET	49734	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.868555069 CET	443	49735	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:24.873965025 CET	49735	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:24.930620909 CET	49735	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:24.930644989 CET	443	49735	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:24.930948973 CET	443	49735	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:24.933619022 CET	49734	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.933633089 CET	443	49734	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.933732986 CET	49734	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.933876991 CET	443	49734	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.933939934 CET	49735	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:24.933980942 CET	49735	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:24.934108019 CET	443	49735	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:24.935337067 CET	49735	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:24.935340881 CET	49734	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.939485073 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:24.941034079 CET	49736	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.941071033 CET	443	49736	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.941714048 CET	49736	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.943399906 CET	49736	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.943413019 CET	443	49736	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.944230080 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:24.948961020 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.949007034 CET	443	49737	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.949604034 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.949706078 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.949723005 CET	443	49737	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.952424049 CET	49738	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.952435970 CET	443	49738	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:24.952974081 CET	49738	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.953073978 CET	49738	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:24.953083992 CET	443	49738	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.063477039 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:25.067389011 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:25.072153091 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:25.104543924 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:25.196672916 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:25.251615047 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:25.553117990 CET	443	49737	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.555366039 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.558123112 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.558135986 CET	443	49737	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.558367014 CET	443	49737	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.558374882 CET	443	49736	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.559531927 CET	443	49738	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.559945107 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.560089111 CET	443	49737	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.560102940 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.560112953 CET	443	49737	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.562724113 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:25.563334942 CET	443	49736	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.563590050 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.563606024 CET	49736	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.563656092 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.563858986 CET	49738	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.565105915 CET	49737	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.565253973 CET	49736	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.567522049 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:25.567722082 CET	49738	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.567738056 CET	443	49738	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.567945957 CET	443	49738	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.571943998 CET	49736	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.571950912 CET	443	49736	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.572016954 CET	49736	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.572108030 CET	443	49736	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.572585106 CET	49738	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.572637081 CET	49738	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.572722912 CET	443	49738	34.120.208.123	192.168.2.8
Nov 1, 2024 05:02:25.574634075 CET	49736	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.574785948 CET	49738	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:02:25.686964989 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:25.737421989 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:28.240458965 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:28.245209932 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:28.368886948 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:28.413949013 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:30.136490107 CET	49744	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:30.136511087 CET	443	49744	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:30.136776924 CET	49744	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:30.138216019 CET	49744	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:30.138227940 CET	443	49744	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:30.743840933 CET	443	49744	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:30.743989944 CET	49744	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:31.767638922 CET	49744	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:31.767659903 CET	443	49744	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:31.767736912 CET	49744	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:31.767978907 CET	443	49744	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:31.769259930 CET	49744	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:32.096673965 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:32.101768970 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:32.221090078 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:32.273379087 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:33.595680952 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:33.600440979 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:33.732306004 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:33.777792931 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:41.810285091 CET	49745	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:41.810324907 CET	443	49745	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:41.810708046 CET	49745	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:41.812813997 CET	49745	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:41.812829971 CET	443	49745	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:42.234227896 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:42.239089966 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:42.422573090 CET	443	49745	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:42.422755957 CET	49745	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:42.427725077 CET	49745	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:42.427736998 CET	443	49745	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:42.427812099 CET	49745	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:42.427879095 CET	443	49745	34.107.243.93	192.168.2.8
Nov 1, 2024 05:02:42.428675890 CET	49745	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:02:42.430825949 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:42.435722113 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:42.555349112 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:42.559345007 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:42.564238071 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:42.604274035 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:42.687977076 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:42.735747099 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:47.216340065 CET	49746	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.216370106 CET	443	49746	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:47.216459036 CET	49746	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.216588020 CET	49746	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.216598034 CET	443	49746	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:47.223011971 CET	49747	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.223026991 CET	443	49747	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.223148108 CET	49747	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.223252058 CET	49747	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.223258972 CET	443	49747	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.223830938 CET	49748	443	192.168.2.8	151.101.129.91
Nov 1, 2024 05:02:47.223864079 CET	443	49748	151.101.129.91	192.168.2.8
Nov 1, 2024 05:02:47.223917007 CET	49748	443	192.168.2.8	151.101.129.91
Nov 1, 2024 05:02:47.224013090 CET	49748	443	192.168.2.8	151.101.129.91
Nov 1, 2024 05:02:47.224029064 CET	443	49748	151.101.129.91	192.168.2.8
Nov 1, 2024 05:02:47.235404015 CET	49749	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:47.235421896 CET	443	49749	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:47.242814064 CET	49749	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:47.244294882 CET	49749	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:47.244302034 CET	443	49749	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:47.257806063 CET	49750	443	192.168.2.8	35.201.103.21
Nov 1, 2024 05:02:47.257841110 CET	443	49750	35.201.103.21	192.168.2.8
Nov 1, 2024 05:02:47.263979912 CET	49750	443	192.168.2.8	35.201.103.21
Nov 1, 2024 05:02:47.265434980 CET	49750	443	192.168.2.8	35.201.103.21
Nov 1, 2024 05:02:47.265449047 CET	443	49750	35.201.103.21	192.168.2.8
Nov 1, 2024 05:02:47.829411983 CET	443	49748	151.101.129.91	192.168.2.8
Nov 1, 2024 05:02:47.829551935 CET	49748	443	192.168.2.8	151.101.129.91
Nov 1, 2024 05:02:47.831177950 CET	443	49746	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:47.832549095 CET	49748	443	192.168.2.8	151.101.129.91
Nov 1, 2024 05:02:47.832566977 CET	443	49748	151.101.129.91	192.168.2.8
Nov 1, 2024 05:02:47.832798004 CET	443	49748	151.101.129.91	192.168.2.8
Nov 1, 2024 05:02:47.832874060 CET	49746	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.835293055 CET	49746	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.835299015 CET	443	49746	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:47.835532904 CET	443	49746	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:47.837325096 CET	49748	443	192.168.2.8	151.101.129.91
Nov 1, 2024 05:02:47.837409019 CET	49748	443	192.168.2.8	151.101.129.91
Nov 1, 2024 05:02:47.837527037 CET	443	49748	151.101.129.91	192.168.2.8
Nov 1, 2024 05:02:47.837651968 CET	443	49747	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.838463068 CET	49746	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.838514090 CET	49746	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.838608027 CET	443	49746	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:47.844953060 CET	49748	443	192.168.2.8	151.101.129.91
Nov 1, 2024 05:02:47.844959021 CET	49746	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.844974041 CET	49746	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.847104073 CET	49747	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.847599030 CET	49747	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.847611904 CET	443	49747	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.847803116 CET	443	49747	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.849394083 CET	49747	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.849467039 CET	49747	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.849531889 CET	443	49747	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.850102901 CET	49747	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.850506067 CET	49747	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.855273008 CET	49751	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.855309963 CET	443	49751	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.856584072 CET	49752	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.856631994 CET	443	49752	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.856882095 CET	49751	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.857083082 CET	49752	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.857178926 CET	49751	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.857188940 CET	443	49751	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.857285976 CET	443	49749	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:47.857300043 CET	443	49749	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:47.857301950 CET	49752	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.857319117 CET	443	49752	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.859170914 CET	49753	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.859191895 CET	443	49753	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.860181093 CET	49749	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:47.860213995 CET	49753	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.862297058 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:47.862620115 CET	49753	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:47.862628937 CET	443	49753	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:47.864322901 CET	49749	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:47.864335060 CET	443	49749	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:47.864392996 CET	49749	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:47.864589930 CET	443	49749	35.190.72.216	192.168.2.8
Nov 1, 2024 05:02:47.865408897 CET	49749	443	192.168.2.8	35.190.72.216
Nov 1, 2024 05:02:47.867155075 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:47.897301912 CET	443	49750	35.201.103.21	192.168.2.8
Nov 1, 2024 05:02:47.902904987 CET	49750	443	192.168.2.8	35.201.103.21
Nov 1, 2024 05:02:47.910367012 CET	49750	443	192.168.2.8	35.201.103.21
Nov 1, 2024 05:02:47.910393000 CET	443	49750	35.201.103.21	192.168.2.8
Nov 1, 2024 05:02:47.910440922 CET	49750	443	192.168.2.8	35.201.103.21
Nov 1, 2024 05:02:47.910537958 CET	443	49750	35.201.103.21	192.168.2.8
Nov 1, 2024 05:02:47.914453030 CET	49754	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.914527893 CET	443	49754	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:47.915987968 CET	49750	443	192.168.2.8	35.201.103.21
Nov 1, 2024 05:02:47.916044950 CET	49754	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.916544914 CET	49754	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:47.916568995 CET	443	49754	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:47.987176895 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:47.990403891 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:47.998759031 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:48.035232067 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:48.120980978 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:48.166580915 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:48.471745968 CET	443	49751	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.471941948 CET	49751	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.475464106 CET	49751	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.475472927 CET	443	49751	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.475697041 CET	443	49751	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.477705956 CET	49751	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.477804899 CET	49751	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.477847099 CET	443	49751	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.477947950 CET	49751	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.482521057 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:48.483649969 CET	443	49753	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.483808994 CET	49753	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.484282970 CET	443	49752	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.486569881 CET	49753	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.486578941 CET	443	49753	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.486798048 CET	443	49753	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.486977100 CET	49752	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.488409042 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:48.489187002 CET	49752	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.489196062 CET	443	49752	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.489420891 CET	443	49752	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.491986990 CET	49753	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.492077112 CET	49753	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.492121935 CET	443	49753	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.492556095 CET	49752	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.492604971 CET	49752	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.492688894 CET	443	49752	35.244.181.201	192.168.2.8
Nov 1, 2024 05:02:48.492878914 CET	49753	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.495060921 CET	49752	443	192.168.2.8	35.244.181.201
Nov 1, 2024 05:02:48.513442039 CET	443	49754	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:48.513525963 CET	49754	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:48.516293049 CET	49754	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:48.516309977 CET	443	49754	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:48.516539097 CET	443	49754	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:48.518757105 CET	49754	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:48.518871069 CET	49754	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:48.518907070 CET	443	49754	34.149.100.209	192.168.2.8
Nov 1, 2024 05:02:48.519634008 CET	49754	443	192.168.2.8	34.149.100.209
Nov 1, 2024 05:02:48.609621048 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:48.613571882 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:48.618550062 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:48.652029037 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:48.742906094 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:48.783581018 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:58.612310886 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:58.617113113 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:02:58.750224113 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:02:58.755079985 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:02.455874920 CET	49756	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:02.455912113 CET	443	49756	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:02.455986023 CET	49756	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:02.457386971 CET	49756	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:02.457397938 CET	443	49756	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:03.072242975 CET	443	49756	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:03.072314024 CET	49756	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:03.076755047 CET	49756	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:03.076777935 CET	443	49756	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:03.076841116 CET	49756	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:03.076932907 CET	443	49756	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:03.078540087 CET	49756	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:03.080455065 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:03.085191965 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:03.204699993 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:03.210503101 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:03.215241909 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:03.247891903 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:03.339231968 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:03.395087004 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:13.210019112 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:13.218523026 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:13.354074955 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:13.358993053 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:17.362124920 CET	49758	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.362211943 CET	443	49758	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.362261057 CET	49759	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.362284899 CET	443	49759	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.362391949 CET	49760	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.362426043 CET	443	49760	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.362503052 CET	49761	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.362539053 CET	443	49761	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.362610102 CET	49762	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.362620115 CET	443	49762	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.362721920 CET	49763	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.362730026 CET	443	49763	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.363243103 CET	49758	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363244057 CET	49760	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363245964 CET	49759	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363259077 CET	49761	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363259077 CET	49763	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363270044 CET	49762	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363462925 CET	49758	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363501072 CET	443	49758	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.363567114 CET	49763	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363581896 CET	443	49763	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.363631964 CET	49762	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363646984 CET	443	49762	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.363697052 CET	49761	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363704920 CET	443	49761	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.363754034 CET	49760	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363766909 CET	443	49760	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.363827944 CET	49759	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.363842010 CET	443	49759	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.977724075 CET	443	49759	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.977844000 CET	49759	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.978677988 CET	443	49763	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.978739023 CET	49763	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.978977919 CET	443	49760	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.979036093 CET	49760	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.979110003 CET	443	49761	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.979183912 CET	49761	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.979552984 CET	443	49758	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.979713917 CET	49758	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.981575012 CET	49759	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.981585026 CET	443	49759	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.981834888 CET	443	49759	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.983591080 CET	443	49762	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.983649969 CET	49762	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.984230995 CET	49763	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.984246969 CET	443	49763	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.984498978 CET	443	49763	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.986521006 CET	49761	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.986531019 CET	443	49761	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.986758947 CET	443	49761	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.988992929 CET	49760	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.989018917 CET	443	49760	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.989212036 CET	443	49760	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.991359949 CET	49758	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.991406918 CET	443	49758	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.991620064 CET	443	49758	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.993663073 CET	49762	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.993695021 CET	443	49762	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.993877888 CET	443	49762	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.998785973 CET	49759	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.998941898 CET	443	49759	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.999077082 CET	49759	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.999083996 CET	443	49759	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:17.999881029 CET	49764	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:17.999911070 CET	443	49764	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.005676985 CET	49763	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.005805969 CET	443	49763	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.005880117 CET	49763	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.005886078 CET	443	49763	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.006299019 CET	49765	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.006324053 CET	443	49765	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.006618977 CET	49761	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.006685972 CET	49761	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.006742001 CET	443	49761	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.010797024 CET	49760	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.010950089 CET	443	49760	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.010987043 CET	49760	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.011003017 CET	443	49760	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.011076927 CET	49758	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.011151075 CET	49758	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.011223078 CET	443	49758	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.011534929 CET	49762	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.011599064 CET	49762	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.011689901 CET	443	49762	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.012995005 CET	49761	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.013012886 CET	49764	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.013103962 CET	49765	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.013247013 CET	49764	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.013261080 CET	443	49764	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.013371944 CET	49765	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.013382912 CET	443	49765	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.013725042 CET	49758	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.013725042 CET	49762	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.021034002 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:18.027338028 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:18.146487951 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:18.150023937 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:18.155275106 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:18.200022936 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:18.207338095 CET	443	49759	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.207391024 CET	49759	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.211328030 CET	443	49763	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.211378098 CET	49763	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.219336987 CET	443	49760	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.219388008 CET	49760	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.279696941 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:18.331561089 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:18.629448891 CET	443	49764	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.629465103 CET	443	49764	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.629528046 CET	49764	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.630840063 CET	443	49765	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.630855083 CET	443	49765	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.630954027 CET	49765	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.632883072 CET	49764	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.632889986 CET	443	49764	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.633132935 CET	443	49764	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.636426926 CET	49765	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.636435032 CET	443	49765	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.636687040 CET	443	49765	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.640299082 CET	49764	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.640449047 CET	443	49764	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.640453100 CET	49764	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.640461922 CET	443	49764	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.640652895 CET	49765	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.640701056 CET	49765	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.640845060 CET	443	49765	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.642406940 CET	49765	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.643781900 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:18.648588896 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:18.767852068 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:18.770931005 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:18.775821924 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:18.817073107 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:18.859333038 CET	443	49764	34.120.208.123	192.168.2.8
Nov 1, 2024 05:03:18.859406948 CET	49764	443	192.168.2.8	34.120.208.123
Nov 1, 2024 05:03:18.899606943 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:18.948596954 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:22.349313974 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:22.354166985 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:22.473670959 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:22.476743937 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:22.481584072 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:22.531335115 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:22.605736971 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:22.659164906 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:32.487616062 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:32.494194984 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:32.625731945 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:32.630650043 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:42.515585899 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:42.520534039 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:42.645200968 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:42.650062084 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:43.273932934 CET	49769	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:43.273973942 CET	443	49769	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:43.274382114 CET	49769	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:43.275906086 CET	49769	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:43.275921106 CET	443	49769	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:43.882690907 CET	443	49769	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:43.882766008 CET	49769	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:43.886720896 CET	49769	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:43.886732101 CET	443	49769	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:43.886830091 CET	49769	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:43.886884928 CET	443	49769	34.107.243.93	192.168.2.8
Nov 1, 2024 05:03:43.887057066 CET	49769	443	192.168.2.8	34.107.243.93
Nov 1, 2024 05:03:43.889511108 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:43.894341946 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:44.013994932 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:44.017788887 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:44.022757053 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:44.064990997 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:44.146565914 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:44.196598053 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:54.025249958 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:54.030874968 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:03:54.147705078 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:03:54.152623892 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:04:04.038357973 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:04:04.043160915 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:04:04.154350996 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:04:04.159200907 CET	80	49725	34.107.221.82	192.168.2.8
Nov 1, 2024 05:04:14.050683022 CET	49727	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:04:14.055537939 CET	80	49727	34.107.221.82	192.168.2.8
Nov 1, 2024 05:04:14.166598082 CET	49725	80	192.168.2.8	34.107.221.82
Nov 1, 2024 05:04:14.171488047 CET	80	49725	34.107.221.82	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 1, 2024 05:02:19.242197037 CET	54389	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.242330074 CET	49257	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.249479055 CET	53	49257	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:19.313591003 CET	51558	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.313790083 CET	55381	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.320353031 CET	53	55381	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:19.320488930 CET	53	51558	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:19.336020947 CET	53323	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.336236954 CET	56067	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.336416960 CET	64297	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.342746973 CET	53	53323	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:19.342992067 CET	53	64297	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:19.343115091 CET	53	56067	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:19.353701115 CET	64053	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.360348940 CET	53	64053	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:19.492882967 CET	50709	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.501178980 CET	53	50709	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:19.520113945 CET	64952	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.527050972 CET	53	64952	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:19.532453060 CET	54958	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:19.540517092 CET	53	54958	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.057300091 CET	61994	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.060522079 CET	50063	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.063952923 CET	53	61994	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.067471981 CET	53	50063	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.070183992 CET	50434	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.075705051 CET	56572	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.075988054 CET	63982	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.076786995 CET	53	50434	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.082398891 CET	53	63982	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.083117008 CET	53	56572	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.087625980 CET	55956	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.088845015 CET	62836	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.096003056 CET	53	62836	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.108506918 CET	53	55956	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.227557898 CET	52078	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.228807926 CET	64238	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.235338926 CET	53	64238	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.236619949 CET	51895	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.243154049 CET	53	51895	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:20.243716955 CET	52919	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:20.250380993 CET	53	52919	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:21.135031939 CET	65208	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:21.169722080 CET	53	60209	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:21.325117111 CET	59062	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:21.331763029 CET	53	59062	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:21.341655016 CET	61228	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:21.348318100 CET	53	61228	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:21.355628967 CET	59685	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:21.362488031 CET	53	59685	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:21.684138060 CET	58400	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:21.690619946 CET	53	58400	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:21.738354921 CET	56017	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:21.742304087 CET	50777	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:21.744811058 CET	53	56017	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:21.746273041 CET	54469	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:21.750086069 CET	53	50777	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:21.752955914 CET	53	54469	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:21.763959885 CET	64634	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:21.770710945 CET	53	64634	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:24.174784899 CET	52447	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:24.181663036 CET	53	52447	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:24.199501991 CET	61531	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:24.215015888 CET	53	61531	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:24.226906061 CET	62696	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:24.233807087 CET	53	62696	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.225783110 CET	63964	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.226010084 CET	57986	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.226280928 CET	62164	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.232538939 CET	53	57986	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.232728004 CET	53	63964	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.233418941 CET	53	62164	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.248446941 CET	62921	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.250391006 CET	54417	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.250791073 CET	60502	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.255261898 CET	53	62921	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.257107973 CET	53	54417	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.257460117 CET	59856	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.257661104 CET	53	60502	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.257903099 CET	60080	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.258251905 CET	61454	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.263968945 CET	53	59856	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.264633894 CET	53	60080	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.267693996 CET	49330	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.270004034 CET	49224	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.274564028 CET	53	49330	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.276483059 CET	53	49224	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.276529074 CET	59774	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.277077913 CET	53596	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.283536911 CET	53	59774	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.283807039 CET	53	53596	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.285866976 CET	57433	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.286345005 CET	54962	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:28.292538881 CET	53	57433	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.293396950 CET	53	54962	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:28.387130976 CET	53	61454	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:30.136035919 CET	61754	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:30.142842054 CET	53	61754	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:30.144027948 CET	56780	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:30.150631905 CET	53	56780	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:41.810655117 CET	58353	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:41.817517996 CET	53	58353	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:43.709039927 CET	53703	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:43.716305971 CET	53	53703	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:47.212709904 CET	61700	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:47.213171005 CET	51333	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:47.222095966 CET	53	61700	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:47.222111940 CET	53	51333	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:47.222624063 CET	52087	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:47.223953962 CET	50898	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:47.233666897 CET	53	52087	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:47.233680010 CET	53	50898	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:47.240401030 CET	58637	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:47.241909981 CET	55063	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:47.251286983 CET	53	58637	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:47.251301050 CET	53	55063	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:47.258330107 CET	52378	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:47.266604900 CET	53	52378	1.1.1.1	192.168.2.8
Nov 1, 2024 05:02:47.273602009 CET	53460	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:02:47.280499935 CET	53	53460	1.1.1.1	192.168.2.8
Nov 1, 2024 05:03:02.448312998 CET	62890	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:03:02.454853058 CET	53	62890	1.1.1.1	192.168.2.8
Nov 1, 2024 05:03:02.455770016 CET	58158	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:03:02.462394953 CET	53	58158	1.1.1.1	192.168.2.8
Nov 1, 2024 05:03:03.080714941 CET	63561	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:03:17.361340046 CET	64466	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:03:17.368120909 CET	53	64466	1.1.1.1	192.168.2.8
Nov 1, 2024 05:03:43.265860081 CET	50061	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:03:43.272944927 CET	53	50061	1.1.1.1	192.168.2.8
Nov 1, 2024 05:03:43.274164915 CET	58593	53	192.168.2.8	1.1.1.1
Nov 1, 2024 05:03:43.280810118 CET	53	58593	1.1.1.1	192.168.2.8
Nov 1, 2024 05:03:43.889750004 CET	59843	53	192.168.2.8	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 1, 2024 05:02:19.242197037 CET	192.168.2.8	1.1.1.1	0x4fc4	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.242330074 CET	192.168.2.8	1.1.1.1	0xe30a	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.313591003 CET	192.168.2.8	1.1.1.1	0xce1e	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.313790083 CET	192.168.2.8	1.1.1.1	0x1a2b	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.336020947 CET	192.168.2.8	1.1.1.1	0x39b1	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.336236954 CET	192.168.2.8	1.1.1.1	0x5fdc	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 05:02:19.336416960 CET	192.168.2.8	1.1.1.1	0x9185	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 1, 2024 05:02:19.353701115 CET	192.168.2.8	1.1.1.1	0xb34	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 05:02:19.492882967 CET	192.168.2.8	1.1.1.1	0x1b5f	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.520113945 CET	192.168.2.8	1.1.1.1	0xb7da	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.532453060 CET	192.168.2.8	1.1.1.1	0xeb22	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 05:02:20.057300091 CET	192.168.2.8	1.1.1.1	0xd46d	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.060522079 CET	192.168.2.8	1.1.1.1	0x6e4a	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.070183992 CET	192.168.2.8	1.1.1.1	0x6a33	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.075705051 CET	192.168.2.8	1.1.1.1	0xb1b1	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.075988054 CET	192.168.2.8	1.1.1.1	0x9dae	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.087625980 CET	192.168.2.8	1.1.1.1	0xb83d	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 05:02:20.088845015 CET	192.168.2.8	1.1.1.1	0xfe09	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 05:02:20.227557898 CET	192.168.2.8	1.1.1.1	0x60b0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.228807926 CET	192.168.2.8	1.1.1.1	0xcc91	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.236619949 CET	192.168.2.8	1.1.1.1	0xdb65	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.243716955 CET	192.168.2.8	1.1.1.1	0x1d18	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 05:02:21.135031939 CET	192.168.2.8	1.1.1.1	0x868e	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.325117111 CET	192.168.2.8	1.1.1.1	0x73bf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.341655016 CET	192.168.2.8	1.1.1.1	0xdf01	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.355628967 CET	192.168.2.8	1.1.1.1	0x2958	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 05:02:21.684138060 CET	192.168.2.8	1.1.1.1	0xc16c	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.738354921 CET	192.168.2.8	1.1.1.1	0x99cf	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.742304087 CET	192.168.2.8	1.1.1.1	0xc21b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.746273041 CET	192.168.2.8	1.1.1.1	0x1a32	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 05:02:21.763959885 CET	192.168.2.8	1.1.1.1	0xebb8	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 05:02:24.174784899 CET	192.168.2.8	1.1.1.1	0x582	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:24.199501991 CET	192.168.2.8	1.1.1.1	0x850d	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:24.226906061 CET	192.168.2.8	1.1.1.1	0xec3a	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 05:02:28.225783110 CET	192.168.2.8	1.1.1.1	0x63fe	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.226010084 CET	192.168.2.8	1.1.1.1	0x3ef	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.226280928 CET	192.168.2.8	1.1.1.1	0x6387	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.248446941 CET	192.168.2.8	1.1.1.1	0x5edd	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.250391006 CET	192.168.2.8	1.1.1.1	0x6a08	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.250791073 CET	192.168.2.8	1.1.1.1	0x3b6d	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257460117 CET	192.168.2.8	1.1.1.1	0x5e34	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 1, 2024 05:02:28.257903099 CET	192.168.2.8	1.1.1.1	0x11b2	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 1, 2024 05:02:28.258251905 CET	192.168.2.8	1.1.1.1	0xd0c1	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 1, 2024 05:02:28.267693996 CET	192.168.2.8	1.1.1.1	0x3145	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.270004034 CET	192.168.2.8	1.1.1.1	0xa8e7	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.276529074 CET	192.168.2.8	1.1.1.1	0x6a66	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.277077913 CET	192.168.2.8	1.1.1.1	0x468	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.285866976 CET	192.168.2.8	1.1.1.1	0xd45e	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 1, 2024 05:02:28.286345005 CET	192.168.2.8	1.1.1.1	0x713b	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 1, 2024 05:02:30.136035919 CET	192.168.2.8	1.1.1.1	0x52d2	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:30.144027948 CET	192.168.2.8	1.1.1.1	0x1e36	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 05:02:41.810655117 CET	192.168.2.8	1.1.1.1	0xb6b1	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 05:02:43.709039927 CET	192.168.2.8	1.1.1.1	0xad20	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.212709904 CET	192.168.2.8	1.1.1.1	0xa1fe	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.213171005 CET	192.168.2.8	1.1.1.1	0xbd15	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.222624063 CET	192.168.2.8	1.1.1.1	0x87e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 1, 2024 05:02:47.223953962 CET	192.168.2.8	1.1.1.1	0xb6c8	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.240401030 CET	192.168.2.8	1.1.1.1	0x14c8	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 1, 2024 05:02:47.241909981 CET	192.168.2.8	1.1.1.1	0x3507	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.258330107 CET	192.168.2.8	1.1.1.1	0x94f5	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.273602009 CET	192.168.2.8	1.1.1.1	0x5cc2	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 05:03:02.448312998 CET	192.168.2.8	1.1.1.1	0x3acf	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:03:02.455770016 CET	192.168.2.8	1.1.1.1	0x8376	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 05:03:03.080714941 CET	192.168.2.8	1.1.1.1	0xb52	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:03:17.361340046 CET	192.168.2.8	1.1.1.1	0xe16e	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 05:03:43.265860081 CET	192.168.2.8	1.1.1.1	0x8578	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:03:43.274164915 CET	192.168.2.8	1.1.1.1	0xaf68	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 1, 2024 05:03:43.889750004 CET	192.168.2.8	1.1.1.1	0x5727	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 1, 2024 05:02:19.249454975 CET	1.1.1.1	192.168.2.8	0x1dc7	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.249479055 CET	1.1.1.1	192.168.2.8	0xe30a	No error (0)	youtube.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.249490023 CET	1.1.1.1	192.168.2.8	0x4fc4	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:19.249490023 CET	1.1.1.1	192.168.2.8	0x4fc4	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.320353031 CET	1.1.1.1	192.168.2.8	0x1a2b	No error (0)	youtube.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.320488930 CET	1.1.1.1	192.168.2.8	0xce1e	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.342746973 CET	1.1.1.1	192.168.2.8	0x39b1	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.342992067 CET	1.1.1.1	192.168.2.8	0x9185	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 1, 2024 05:02:19.360348940 CET	1.1.1.1	192.168.2.8	0xb34	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 05:02:19.501178980 CET	1.1.1.1	192.168.2.8	0x1b5f	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:19.527050972 CET	1.1.1.1	192.168.2.8	0xb7da	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.063952923 CET	1.1.1.1	192.168.2.8	0xd46d	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:20.063952923 CET	1.1.1.1	192.168.2.8	0xd46d	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.064754009 CET	1.1.1.1	192.168.2.8	0x75b0	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:20.064754009 CET	1.1.1.1	192.168.2.8	0x75b0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.067471981 CET	1.1.1.1	192.168.2.8	0x6e4a	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.076786995 CET	1.1.1.1	192.168.2.8	0x6a33	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.076786995 CET	1.1.1.1	192.168.2.8	0x6a33	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.082398891 CET	1.1.1.1	192.168.2.8	0x9dae	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.083117008 CET	1.1.1.1	192.168.2.8	0xb1b1	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.234124899 CET	1.1.1.1	192.168.2.8	0x60b0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:20.234124899 CET	1.1.1.1	192.168.2.8	0x60b0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.235338926 CET	1.1.1.1	192.168.2.8	0xcc91	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:20.235338926 CET	1.1.1.1	192.168.2.8	0xcc91	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:20.235338926 CET	1.1.1.1	192.168.2.8	0xcc91	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.243154049 CET	1.1.1.1	192.168.2.8	0xdb65	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:20.250380993 CET	1.1.1.1	192.168.2.8	0x1d18	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 1, 2024 05:02:21.143433094 CET	1.1.1.1	192.168.2.8	0x868e	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:21.331763029 CET	1.1.1.1	192.168.2.8	0x73bf	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.348318100 CET	1.1.1.1	192.168.2.8	0xdf01	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.679192066 CET	1.1.1.1	192.168.2.8	0x25	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:21.679192066 CET	1.1.1.1	192.168.2.8	0x25	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.690619946 CET	1.1.1.1	192.168.2.8	0xc16c	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:21.690619946 CET	1.1.1.1	192.168.2.8	0xc16c	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.720659971 CET	1.1.1.1	192.168.2.8	0xb54e	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.744811058 CET	1.1.1.1	192.168.2.8	0x99cf	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:21.750086069 CET	1.1.1.1	192.168.2.8	0xc21b	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:24.181663036 CET	1.1.1.1	192.168.2.8	0x582	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:24.181663036 CET	1.1.1.1	192.168.2.8	0x582	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:24.181663036 CET	1.1.1.1	192.168.2.8	0x582	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:24.206229925 CET	1.1.1.1	192.168.2.8	0xac97	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:24.215015888 CET	1.1.1.1	192.168.2.8	0x850d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232538939 CET	1.1.1.1	192.168.2.8	0x3ef	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232538939 CET	1.1.1.1	192.168.2.8	0x3ef	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.181.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.232728004 CET	1.1.1.1	192.168.2.8	0x63fe	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.233418941 CET	1.1.1.1	192.168.2.8	0x6387	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:28.233418941 CET	1.1.1.1	192.168.2.8	0x6387	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.255261898 CET	1.1.1.1	192.168.2.8	0x5edd	No error (0)	star-mini.c10r.facebook.com		157.240.252.35	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.185.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.186.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		172.217.16.206	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		216.58.212.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.185.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		216.58.206.46	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		216.58.206.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		172.217.18.14	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.184.238	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.185.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		216.58.212.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.186.174	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.185.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.185.142	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257107973 CET	1.1.1.1	192.168.2.8	0x6a08	No error (0)	youtube-ui.l.google.com		142.250.186.110	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.257661104 CET	1.1.1.1	192.168.2.8	0x3b6d	No error (0)	dyna.wikimedia.org		185.15.59.224	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.263968945 CET	1.1.1.1	192.168.2.8	0x5e34	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 1, 2024 05:02:28.264633894 CET	1.1.1.1	192.168.2.8	0x11b2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 05:02:28.264633894 CET	1.1.1.1	192.168.2.8	0x11b2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 05:02:28.264633894 CET	1.1.1.1	192.168.2.8	0x11b2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 05:02:28.264633894 CET	1.1.1.1	192.168.2.8	0x11b2	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 1, 2024 05:02:28.274564028 CET	1.1.1.1	192.168.2.8	0x3145	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:28.274564028 CET	1.1.1.1	192.168.2.8	0x3145	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.274564028 CET	1.1.1.1	192.168.2.8	0x3145	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.274564028 CET	1.1.1.1	192.168.2.8	0x3145	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.274564028 CET	1.1.1.1	192.168.2.8	0x3145	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.276483059 CET	1.1.1.1	192.168.2.8	0xa8e7	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.283536911 CET	1.1.1.1	192.168.2.8	0x6a66	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.283536911 CET	1.1.1.1	192.168.2.8	0x6a66	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.283536911 CET	1.1.1.1	192.168.2.8	0x6a66	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.283536911 CET	1.1.1.1	192.168.2.8	0x6a66	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.283807039 CET	1.1.1.1	192.168.2.8	0x468	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:28.387130976 CET	1.1.1.1	192.168.2.8	0xd0c1	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 1, 2024 05:02:30.142842054 CET	1.1.1.1	192.168.2.8	0x52d2	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:43.716305971 CET	1.1.1.1	192.168.2.8	0xad20	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.222095966 CET	1.1.1.1	192.168.2.8	0xa1fe	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.222111940 CET	1.1.1.1	192.168.2.8	0xbd15	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.222111940 CET	1.1.1.1	192.168.2.8	0xbd15	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.222111940 CET	1.1.1.1	192.168.2.8	0xbd15	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.222111940 CET	1.1.1.1	192.168.2.8	0xbd15	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.222124100 CET	1.1.1.1	192.168.2.8	0xa622	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:47.222124100 CET	1.1.1.1	192.168.2.8	0xa622	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.233680010 CET	1.1.1.1	192.168.2.8	0xb6c8	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.233680010 CET	1.1.1.1	192.168.2.8	0xb6c8	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.233680010 CET	1.1.1.1	192.168.2.8	0xb6c8	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.233680010 CET	1.1.1.1	192.168.2.8	0xb6c8	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.251286983 CET	1.1.1.1	192.168.2.8	0x14c8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 05:02:47.251286983 CET	1.1.1.1	192.168.2.8	0x14c8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 05:02:47.251286983 CET	1.1.1.1	192.168.2.8	0x14c8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 05:02:47.251286983 CET	1.1.1.1	192.168.2.8	0x14c8	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 1, 2024 05:02:47.251301050 CET	1.1.1.1	192.168.2.8	0x3507	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:47.251301050 CET	1.1.1.1	192.168.2.8	0x3507	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:47.266604900 CET	1.1.1.1	192.168.2.8	0x94f5	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:02:48.495004892 CET	1.1.1.1	192.168.2.8	0x6c	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:02:48.495004892 CET	1.1.1.1	192.168.2.8	0x6c	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:03:02.454853058 CET	1.1.1.1	192.168.2.8	0x3acf	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:03:03.087265015 CET	1.1.1.1	192.168.2.8	0xb52	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:03:03.087265015 CET	1.1.1.1	192.168.2.8	0xb52	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:03:17.360119104 CET	1.1.1.1	192.168.2.8	0x348	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:03:43.272944927 CET	1.1.1.1	192.168.2.8	0x8578	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 1, 2024 05:03:43.896507025 CET	1.1.1.1	192.168.2.8	0x5727	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 1, 2024 05:03:43.896507025 CET	1.1.1.1	192.168.2.8	0x5727	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49714	34.107.221.82	80	7928	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 05:02:19.327838898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:19.923608065 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68180 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49720	34.107.221.82	80	7928	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 05:02:20.239959002 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:20.835942984 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45175 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49721	34.107.221.82	80	7928	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 05:02:20.240217924 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:20.836075068 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68181 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49725	34.107.221.82	80	7928	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 05:02:20.899884939 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:21.516527891 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45176 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:02:24.175928116 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:24.304517984 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45179 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:02:24.322508097 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:24.451155901 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45179 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:02:25.067389011 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:25.196672916 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45180 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:02:28.240458965 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:28.368886948 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45183 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:02:33.595680952 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:33.732306004 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45188 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:02:42.559345007 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:42.687977076 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45197 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:02:47.990403891 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:48.120980978 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45203 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:02:48.613571882 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:02:48.742906094 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45203 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:02:58.750224113 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:03:03.210503101 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:03:03.339231968 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45218 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:03:13.354074955 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:03:18.150023937 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:03:18.279696941 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45233 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:03:18.770931005 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:03:18.899606943 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45233 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:03:22.476743937 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:03:22.605736971 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45237 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:03:32.625731945 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:03:42.645200968 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:03:44.017788887 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 1, 2024 05:03:44.146565914 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 31 Oct 2024 15:29:25 GMT Age: 45259 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 1, 2024 05:03:54.147705078 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:04:04.154350996 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:04:14.166598082 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49727	34.107.221.82	80	7928	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 1, 2024 05:02:21.201198101 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:21.796144962 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68182 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:02:24.188313007 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:24.314352036 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68185 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:02:24.939485073 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:25.063477039 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68186 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:02:25.562724113 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:25.686964989 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68186 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:02:32.096673965 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:32.221090078 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68193 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:02:42.234227896 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:02:42.430825949 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:42.555349112 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68203 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:02:47.862297058 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:47.987176895 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68208 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:02:48.482521057 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:02:48.609621048 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68209 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:02:58.612310886 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:03:03.080455065 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:03:03.204699993 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68224 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:03:13.210019112 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:03:18.021034002 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:03:18.146487951 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68239 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:03:18.643781900 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:03:18.767852068 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68239 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:03:22.349313974 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:03:22.473670959 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68243 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:03:32.487616062 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:03:42.515585899 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:03:43.889511108 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 1, 2024 05:03:44.013994932 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 31 Oct 2024 09:05:59 GMT Age: 68264 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 1, 2024 05:03:54.025249958 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:04:04.038357973 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 1, 2024 05:04:14.050683022 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	00:02:11
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x630000
File size:	919'552 bytes
MD5 hash:	E79F27AB2A69921BB110A37574D7B139
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	00:02:11
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x2f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:02:11
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x2f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x2f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x2f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x2f0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	00:02:15
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25298 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffa93a7b-3b91-4bfd-9fb7-65d32f0039f4} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 2794d670310 socket
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	00:02:17
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3808 -parentBuildID 20230927232528 -prefsHandle 3844 -prefMapHandle 3840 -prefsLen 26313 -prefMapSize 238442 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9f37f9f-e46f-48bd-9f0b-fafb995ee8cf} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 2795e768d10 rdd
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	00:02:21
Start date:	01/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 3360 -prefMapHandle 5084 -prefsLen 33464 -prefMapSize 238442 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {730b96e6-bfd9-4534-98b2-3f8e5f4bb17b} 7928 "\\.\pipe\gecko-crash-server-pipe.7928" 279614bcb10 utility
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.5%
Total number of Nodes:	1605
Total number of Limit Nodes:	69

Executed Functions

Function 006342DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0063430D

Part of subcall function 00636B57: _wcslen.LIBCMT ref: 00636B6A

GetCurrentProcess.KERNEL32(?,006CCB64,00000000,?,?), ref: 00634422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00634429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00634454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00634466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00634474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0063447B
GetSystemInfo.KERNEL32(?,?,?), ref: 006344A0

Strings

kernel32.dll, xrefs: 0063444F
GetNativeSystemInfo, xrefs: 00634460
|O, xrefs: 006736F8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: a63559da5bd6162c24c9cbcf14bb88b9be82f6800990b4f7e55cca837b2859d4
Instruction ID: b03e128e12e83d733822e328c408970c35ab16057cf0d0e0f7af0ce3e40bc736
Opcode Fuzzy Hash: a63559da5bd6162c24c9cbcf14bb88b9be82f6800990b4f7e55cca837b2859d4
Instruction Fuzzy Hash: BCA1E67190A2D0CFC715C7797C815E5FFE6AB26300F88D6ADE04593B22DE284505DB6D

Function 006342A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,006350AA,?,?,00000000,00000000), ref: 006342B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006350AA,?,?,00000000,00000000), ref: 006342C9
LoadResource.KERNEL32(?,00000000,?,?,006350AA,?,?,00000000,00000000,?,?,?,?,?,?,00634F20), ref: 006735BE
SizeofResource.KERNEL32(?,00000000,?,?,006350AA,?,?,00000000,00000000,?,?,?,?,?,?,00634F20), ref: 006735D3
LockResource.KERNEL32(006350AA,?,?,006350AA,?,?,00000000,00000000,?,?,?,?,?,?,00634F20,?), ref: 006735E6

Strings

SCRIPT, xrefs: 006342BF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 23db2834aa71d53b9cdbbf210e50088b47e40ec907f83e4bf79df59680d5f862
Instruction ID: 8604bbcaa76e4579a7d6aa33c29e44d136c9972d32611f01b5f57f0bcfe28acd
Opcode Fuzzy Hash: 23db2834aa71d53b9cdbbf210e50088b47e40ec907f83e4bf79df59680d5f862
Instruction Fuzzy Hash: 54117C70200700BFE7218BA6DC48F67BBBEEFC6B61F148169F416D6650DB71ED009A60

Function 00672BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00632B6B

Part of subcall function 00633A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00701418,?,00632E7F,?,?,?,00000000), ref: 00633A78

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,006F2224), ref: 00672C10
ShellExecuteW.SHELL32(00000000,?,?,006F2224), ref: 00672C17

Strings

runas, xrefs: 00672C0B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 8dc9ef8ef2feddc127633c2d8933e355695ab53061aefba1436cfbb994a9332b
Instruction ID: 99c77ee5e290fbee14c513b7ee692cc5456b9a343cd5bea456a3d07830787235
Opcode Fuzzy Hash: 8dc9ef8ef2feddc127633c2d8933e355695ab53061aefba1436cfbb994a9332b
Instruction Fuzzy Hash: 95112931508386AAC748FF60D861DBEB7A79F90314F44542CF187421A2CF708A0ACB96

Function 0069D4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0069D501
Process32FirstW.KERNEL32(00000000,?), ref: 0069D50F
Process32NextW.KERNEL32(00000000,?), ref: 0069D52F
CloseHandle.KERNELBASE(00000000), ref: 0069D5DC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 91df49d8acafadaad8c1529d4bc2266cf7550f4c032de8d6c687674eb9034e65
Instruction ID: 0c62877ac727f90b9f425b1d1a7abaa1f92e57b3017ec42716e35c8c8d268e7f
Opcode Fuzzy Hash: 91df49d8acafadaad8c1529d4bc2266cf7550f4c032de8d6c687674eb9034e65
Instruction Fuzzy Hash: DE3191711083009FD704EF64C881AAFBBFAEF99354F14092DF585862A1EB719945CBA2

Function 0069DBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00675222), ref: 0069DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0069DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0069DBEE
FindClose.KERNEL32(00000000), ref: 0069DBFA

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 05676ad06b82452439491b0144d3df84126f44daa453db984ea5b273ee8c087c
Instruction ID: 01d5e6c590f9dc244ef9e6b74b3286e87a9db68b553dd022c592933a3bee37c6
Opcode Fuzzy Hash: 05676ad06b82452439491b0144d3df84126f44daa453db984ea5b273ee8c087c
Instruction Fuzzy Hash: D6F0A0B081091097CB206B78EC0D8BA776E9E013B4B144712F83AC2AE0EBB45A558695

Function 00654CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(006628E9,?,00654CBE,006628E9,006F88B8,0000000C,00654E15,006628E9,00000002,00000000,?,006628E9), ref: 00654D09
TerminateProcess.KERNEL32(00000000,?,00654CBE,006628E9,006F88B8,0000000C,00654E15,006628E9,00000002,00000000,?,006628E9), ref: 00654D10
ExitProcess.KERNEL32 ref: 00654D22

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4f244e6acf8add289b2504fff7b6a8c6f42c39426ecc082b8f5e3e2ec6020281
Instruction ID: b8450dca5e86c4fbbb72e7657f506477f2bb003fc83eae2043b389b9a04927c0
Opcode Fuzzy Hash: 4f244e6acf8add289b2504fff7b6a8c6f42c39426ecc082b8f5e3e2ec6020281
Instruction Fuzzy Hash: C9E0B631400548ABCF11AF54EE09EA83B7BFF41796F145158FC098B622CF36DD86CA94

Function 0063BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#p, xrefs: 006807CE

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#p
API String ID: 3964851224-1159509791
Opcode ID: b5c23a00413313b7cefd03db48f82da3c7d135f72cd56662d086f639bfb96f62
Instruction ID: 0d2cfddfaa8c186f408fa32410ed67acf96652b353f261ffeaf68e70ad9b9984
Opcode Fuzzy Hash: b5c23a00413313b7cefd03db48f82da3c7d135f72cd56662d086f639bfb96f62
Instruction Fuzzy Hash: F2A26970A083019FD764DF18C480B6ABBE2BF89314F14896DF89A9B352D771EC45CB92

Function 006BAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 006BB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006BB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006BB1D4
_wcslen.LIBCMT ref: 006BB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006BB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006BB236
_wcslen.LIBCMT ref: 006BB332

Part of subcall function 006A05A7: GetStdHandle.KERNEL32(000000F6), ref: 006A05C6

_wcslen.LIBCMT ref: 006BB34B
_wcslen.LIBCMT ref: 006BB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006BB3B6
GetLastError.KERNEL32(00000000), ref: 006BB407
CloseHandle.KERNEL32(?), ref: 006BB439
CloseHandle.KERNEL32(00000000), ref: 006BB44A
CloseHandle.KERNEL32(00000000), ref: 006BB45C
CloseHandle.KERNEL32(00000000), ref: 006BB46E
CloseHandle.KERNEL32(?), ref: 006BB4E3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 5b9b93cae87559e91c336489a5d094f78ddcfbf20be7b7f46c6e33e71b3a9d7e
Instruction ID: 061f358cf239928e3d222a195b4a8708563c6a3d05bf3b8eeb254e8ba8d97655
Opcode Fuzzy Hash: 5b9b93cae87559e91c336489a5d094f78ddcfbf20be7b7f46c6e33e71b3a9d7e
Instruction Fuzzy Hash: 38F1AF715043409FC764EF24C891BAEBBE2AF85314F14945DF8998B3A2CB71EC85CB96

Function 0063D730 Relevance: 21.6, APIs: 14, Instructions: 626windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0063D807
timeGetTime.WINMM ref: 0063DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0063DB28
TranslateMessage.USER32(?), ref: 0063DB7B
DispatchMessageW.USER32(?), ref: 0063DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0063DB9F
Sleep.KERNELBASE(0000000A), ref: 0063DBB1

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 0d9a974a4011faf335ce9a8dde85f96328492ec8aac2ad7e3a497be40cb3b351
Instruction ID: b8590a233233aa242953f94f91d7c8b306a63849726b0ee32efc2cce99f736aa
Opcode Fuzzy Hash: 0d9a974a4011faf335ce9a8dde85f96328492ec8aac2ad7e3a497be40cb3b351
Instruction Fuzzy Hash: C042FE70608242EFD728DF24D894BAAB7E2FF46314F14865EE4668B391D770E845CBC6

Function 00632CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00632D07
RegisterClassExW.USER32(00000030), ref: 00632D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00632D42
InitCommonControlsEx.COMCTL32(?), ref: 00632D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00632D6F
LoadIconW.USER32(000000A9), ref: 00632D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00632D94

Strings

AutoIt v3 GUI, xrefs: 00632D23
TaskbarCreated, xrefs: 00632D37
+, xrefs: 00632CF0
0, xrefs: 00632CE9

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9bb6ae46914f2fc8d1de5991c67d34b8fa56909035105b5259ab121dacd6ed6f
Instruction ID: e5cc5c9df5a9e3ca2fa3b21c5780814eb03578c0e8097a9d1d803bee3b6516f0
Opcode Fuzzy Hash: 9bb6ae46914f2fc8d1de5991c67d34b8fa56909035105b5259ab121dacd6ed6f
Instruction Fuzzy Hash: E821E3B1D11348EFDB00DFA4E859BEDBBB5FB08710F00821AF615A62A0DBB51540CFA4

Function 0067065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0067039A: CreateFileW.KERNELBASE(00000000,00000000,?,00670704,?,?,00000000,?,00670704,00000000,0000000C), ref: 006703B7

GetLastError.KERNEL32 ref: 0067076F
__dosmaperr.LIBCMT ref: 00670776
GetFileType.KERNELBASE(00000000), ref: 00670782
GetLastError.KERNEL32 ref: 0067078C
__dosmaperr.LIBCMT ref: 00670795
CloseHandle.KERNEL32(00000000), ref: 006707B5
CloseHandle.KERNEL32(?), ref: 006708FF
GetLastError.KERNEL32 ref: 00670931
__dosmaperr.LIBCMT ref: 00670938

Strings

H, xrefs: 006708BD

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 64251a19f568036642363132c7f1f932db0b1d85afb2526b7c8bb197c4acb475
Instruction ID: 6cf462e6730db1696a19f7e69e935a4280c2f4caca3107ffe2b420e655081849
Opcode Fuzzy Hash: 64251a19f568036642363132c7f1f932db0b1d85afb2526b7c8bb197c4acb475
Instruction Fuzzy Hash: 5BA15532A00144CFEF19EF68D851BAE3BA2AB06324F14815DF819DB391CB309D13CBA5

Function 0063344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00633A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00701418,?,00632E7F,?,?,?,00000000), ref: 00633A78

Part of subcall function 00633357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00633379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0063356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0067318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006731CE
RegCloseKey.ADVAPI32(?), ref: 00673210
_wcslen.LIBCMT ref: 00673277
_wcslen.LIBCMT ref: 00673286

Strings

Software\AutoIt v3\AutoIt, xrefs: 00633560
\Include\, xrefs: 00633527
Include, xrefs: 00673184, 006731C5
\, xrefs: 0067328C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 5315d4657a6d65b90e7d53f58c9c0fd00a58ed1e6eed36319a1a0a8758757b92
Instruction ID: 3b91fcb4134024bc32fa7091080235036a7b224c861c98d50350febf6473ccac
Opcode Fuzzy Hash: 5315d4657a6d65b90e7d53f58c9c0fd00a58ed1e6eed36319a1a0a8758757b92
Instruction Fuzzy Hash: 7A71C172404300DEC344DF64DC859ABFBE9FF84350F50892EF549932A2DB789A49CBA9

Function 00632B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00632B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00632B9D
LoadIconW.USER32(00000063), ref: 00632BB3
LoadIconW.USER32(000000A4), ref: 00632BC5
LoadIconW.USER32(000000A2), ref: 00632BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00632BEF
RegisterClassExW.USER32(?), ref: 00632C40

Part of subcall function 00632CD4: GetSysColorBrush.USER32(0000000F), ref: 00632D07
Part of subcall function 00632CD4: RegisterClassExW.USER32(00000030), ref: 00632D31
Part of subcall function 00632CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00632D42
Part of subcall function 00632CD4: InitCommonControlsEx.COMCTL32(?), ref: 00632D5F
Part of subcall function 00632CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00632D6F
Part of subcall function 00632CD4: LoadIconW.USER32(000000A9), ref: 00632D85
Part of subcall function 00632CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00632D94

Strings

AutoIt v3, xrefs: 00632C2F
0, xrefs: 00632C0F
#, xrefs: 00632C16

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 70a6ade5f7e87c0dab04a9c35a46db45f04d933a73a4c2f420d7392a2f08a599
Instruction ID: 7225ec861387c3495bc00b9d8ecd0a580b22133e97d11720c2f9b1fe218ff8bf
Opcode Fuzzy Hash: 70a6ade5f7e87c0dab04a9c35a46db45f04d933a73a4c2f420d7392a2f08a599
Instruction Fuzzy Hash: 5F212970E00318EBDB109FA5EC59BA9BFF5FB48B54F44811AF504A76A0DBB94540CF98

Function 0063B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0063BB4E

Strings

p#p, xrefs: 0063BB6B
p%p, xrefs: 0063BB32
p#p, xrefs: 0068024F
x#p, xrefs: 00680168
x#p, xrefs: 00680207
p#p, xrefs: 0063BA72
p#p, xrefs: 00680263
p%p, xrefs: 0063B8DC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#p$p#p$p#p$p#p$p%p$p%p$x#p$x#p
API String ID: 1385522511-1847788097
Opcode ID: 2145a3ac0bf82dc560018dca73c6626e29f549ab83edde0b1250dcc8abb1d991
Instruction ID: a2b93a389f8d982e4f601bc927021b0e1d3184911497d48068df74a4c7496346
Opcode Fuzzy Hash: 2145a3ac0bf82dc560018dca73c6626e29f549ab83edde0b1250dcc8abb1d991
Instruction Fuzzy Hash: E232BE31A00209DFEB24DF54C898BBEB7B7EF45310F148159EA05AB391CB78AD46CB95

Function 00633170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0063316A,?,?), ref: 006331D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0063316A,?,?), ref: 00633204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00633227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0063316A,?,?), ref: 00633232
CreatePopupMenu.USER32 ref: 00633246
PostQuitMessage.USER32(00000000), ref: 00633267

Strings

TaskbarCreated, xrefs: 0063322D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 7434cab24c88b6d489ab1960b5b58691cad307caa2862ff2a66e312a17ec1ead
Instruction ID: f59932527a930ce4fee6fcdb2cb530b76d4dab7970c53c68a670530c93cf1aad
Opcode Fuzzy Hash: 7434cab24c88b6d489ab1960b5b58691cad307caa2862ff2a66e312a17ec1ead
Instruction Fuzzy Hash: 5E415931600220EBDB141B7CDD1DBBA3A5BEB05350F448229F50A867E1CB7A9F4197E9

Function 00631410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00631459
CoUninitialize.COMBASE ref: 006314F8
UnregisterHotKey.USER32(?), ref: 006316DD
DestroyWindow.USER32(?), ref: 006724B9
FreeLibrary.KERNEL32(?), ref: 0067251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0067254B

Strings

close all, xrefs: 00631454

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d3a4f19758c9e0ba21aaf3e3872e11479a2ba1daaababceabd7e1c778c77f82d
Instruction ID: 8c417c83dc779901ac33253be344cb22f0db9cd0f04abca3781e0b5ea036375c
Opcode Fuzzy Hash: d3a4f19758c9e0ba21aaf3e3872e11479a2ba1daaababceabd7e1c778c77f82d
Instruction Fuzzy Hash: 51D16B71701212CFDB29EF15C4A5B69F7A6BF06710F1482ADE44A6B352DB30AD12CF94

Function 00632C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00632C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00632CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00631CAD,?), ref: 00632CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00631CAD,?), ref: 00632CCF

Strings

AutoIt v3, xrefs: 00632C89, 00632C8E, 00632C8F
edit, xrefs: 00632CAC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 4873159ea496f70de9ef52ce7c26476a900b7cc92169ea7641d43232f6b62bb8
Instruction ID: 3aae6abc2185fe1c4e8f7ff02a0f5b2e019e29dbc4f9494093786e5fb2234d88
Opcode Fuzzy Hash: 4873159ea496f70de9ef52ce7c26476a900b7cc92169ea7641d43232f6b62bb8
Instruction Fuzzy Hash: 0CF03A75940390BAEB301B13AC1CE77AEBED7C6F60B40911EF904A25A0CA790840DAB8

Function 00633B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00633B0F,SwapMouseButtons,00000004,?), ref: 00633B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00633B0F,SwapMouseButtons,00000004,?), ref: 00633B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00633B0F,SwapMouseButtons,00000004,?), ref: 00633B83

Strings

Control Panel\Mouse, xrefs: 00633B3E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ed9499d13aa9cdd7b16588dba44700fa309328884904853365b09bc7e09f004c
Instruction ID: c7542f1ada71727af1285d1857667be3a8bf1a983cc30c521085867174dd2dcc
Opcode Fuzzy Hash: ed9499d13aa9cdd7b16588dba44700fa309328884904853365b09bc7e09f004c
Instruction Fuzzy Hash: BF112AB5610218FFDB208FA5DC44EEEB7B9EF24754F104459E806D7210D2319E4197A0

Function 00633923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006733A2

Part of subcall function 00636B57: _wcslen.LIBCMT ref: 00636B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00633A04

Strings

Line: , xrefs: 006733EB

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: e85f70235a09b75b98b05f34a3c6bd26b986b27763b849a686a69fca3892d2b0
Instruction ID: 4897f25b6f1a29ac898f4ec0908ea1dec970d69d84e1f6f588d79f4332631360
Opcode Fuzzy Hash: e85f70235a09b75b98b05f34a3c6bd26b986b27763b849a686a69fca3892d2b0
Instruction Fuzzy Hash: 2531D471808320EED765EB20DC45BEBB7DAAB40710F00862EF599832D1EF749649C7CA

Function 00632DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00672C8C

Part of subcall function 00633AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00633A97,?,?,00632E7F,?,?,?,00000000), ref: 00633AC2

Part of subcall function 00632DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00632DC4

Strings

`eo, xrefs: 00672C85
X, xrefs: 00672C5A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eo
API String ID: 779396738-1816224629
Opcode ID: ef662feaf277e6b4437925c2780ba8c7209f222ede4c9e42dbc5e54cafce2417
Instruction ID: c07b7c3189f7ec65cb270d68e22fd0a069d24e1b1ed5b76008203bbe456979b4
Opcode Fuzzy Hash: ef662feaf277e6b4437925c2780ba8c7209f222ede4c9e42dbc5e54cafce2417
Instruction Fuzzy Hash: 7E219671A002589BCB41EF94C855BEE7BFAAF49314F008059E505A7341DBB455498FA5

Function 0064FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00650668

Part of subcall function 006532A4: RaiseException.KERNEL32(?,?,?,0065068A,?,00701444,?,?,?,?,?,?,0065068A,00631129,006F8738,00631129), ref: 00653304

__CxxThrowException@8.LIBVCRUNTIME ref: 00650685

Strings

Unknown exception, xrefs: 00650692

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 84e6f423df45a18ab9d778895d9801670da6bbb616e8832d509053cceebe5022
Instruction ID: c84b25492d1bffe24a1742544062b8eb98e83c9d4003f3676a3c24f5528fdbe3
Opcode Fuzzy Hash: 84e6f423df45a18ab9d778895d9801670da6bbb616e8832d509053cceebe5022
Instruction Fuzzy Hash: BFF0223490020D77CB00BBA4D846CAEBB6F5E00341F604478BD14C2692EF71EB6ECA84

Function 006310F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00631BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00631BF4
Part of subcall function 00631BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00631BFC
Part of subcall function 00631BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00631C07
Part of subcall function 00631BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00631C12
Part of subcall function 00631BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00631C1A
Part of subcall function 00631BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00631C22

Part of subcall function 00631B4A: RegisterWindowMessageW.USER32(00000004,?,006312C4), ref: 00631BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0063136A
OleInitialize.OLE32 ref: 00631388
CloseHandle.KERNEL32(00000000,00000000), ref: 006724AB

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 45f3ac34942804a71822cd4210e9106dd01260d564eb1b0542e3e2620f9be7af
Instruction ID: 00229b1b2c6ef596e3f185f9bedf5af9d5d0b99d79192b3f2dbed2e83e0ab5ae
Opcode Fuzzy Hash: 45f3ac34942804a71822cd4210e9106dd01260d564eb1b0542e3e2620f9be7af
Instruction Fuzzy Hash: 577199B4911240CEC384DF79AC55A653AE2EB893647D4C32EE04ADB3B1EF384561CF99

Function 0069C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00633923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00633A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0069C259
KillTimer.USER32(?,00000001,?,?), ref: 0069C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0069C270

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 1a1ee641f2374e3cb91b5488144e68520c2428164f9f1ef455f95aa2979493af
Instruction ID: bd29a8f041c7487a520b78b928276bf1d83551d9e711582acf9ae2143ff067ae
Opcode Fuzzy Hash: 1a1ee641f2374e3cb91b5488144e68520c2428164f9f1ef455f95aa2979493af
Instruction Fuzzy Hash: 4231C370904384AFEF228F648855BE7BBEE9B06318F00449ED5DE93241C7745B85CB55

Function 006686AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,006685CC,?,006F8CC8,0000000C), ref: 00668704
GetLastError.KERNEL32(?,006685CC,?,006F8CC8,0000000C), ref: 0066870E
__dosmaperr.LIBCMT ref: 00668739

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 8e78ad5dc860583b52762d579398bb5461c322530621399c0397a4c4a55046e3
Instruction ID: c75b2de8eabc29825ec33aeedce3093e92521bd8ebb63bd8280be9222ddf88c6
Opcode Fuzzy Hash: 8e78ad5dc860583b52762d579398bb5461c322530621399c0397a4c4a55046e3
Instruction Fuzzy Hash: 88012B326056601ED6746334E846BBE6B4B4B91B78F39031DF919DB3D3EEA08C818194

Function 0063DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0063DB7B
DispatchMessageW.USER32(?), ref: 0063DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0063DB9F
Sleep.KERNELBASE(0000000A), ref: 0063DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00681CC9

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 83d7378d168a54c2337026c78c8466854a15c73d887ca3f8a2bfaef4a8ecafb4
Instruction ID: 535f4b3bed3aa69004f1e04eee718618648622da6416c40876bd0e4871fabb2b
Opcode Fuzzy Hash: 83d7378d168a54c2337026c78c8466854a15c73d887ca3f8a2bfaef4a8ecafb4
Instruction Fuzzy Hash: 25F05E706443409BE730DB60DC89FEA73AEEB45320F504A19E61A871C0DB34A5498B65

Function 00641310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 006417F6

Strings

CALL, xrefs: 006417C6

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: a3c9c1c9b420eff729a0c08268697a4a18a6609feb10d92dddfe4769352cb0eb
Instruction ID: dce47d383e8609279e563d0099bdf1a5ae68f985320d81d5a4ed60d0fc9e8a6f
Opcode Fuzzy Hash: a3c9c1c9b420eff729a0c08268697a4a18a6609feb10d92dddfe4769352cb0eb
Instruction Fuzzy Hash: 80228AB06082019FC754DF14C884B6ABBF2BF86314F148A5DF4968B3A2D771E985CB96

Function 00633837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00633908

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ac7673c76aab3de14241a9e44894514af69d2306bef5d78d362bc2a68baa677d
Instruction ID: 285aba2f4573a6f237e2c84740ea943a74c410c7148b3091e4290e953e9c8ea1
Opcode Fuzzy Hash: ac7673c76aab3de14241a9e44894514af69d2306bef5d78d362bc2a68baa677d
Instruction Fuzzy Hash: 05317C70604311DFD760DF24D884797BBE9FB49719F00492EF59983380EB75AA44CB96

Function 0064F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0064F661

Part of subcall function 0063D730: GetInputState.USER32 ref: 0063D807

Sleep.KERNEL32(00000000), ref: 0068F2DE

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: f537f62d521216c5f1791161abf5f954c12a567fff0598ef04c7625e97623115
Instruction ID: e2c8731f962f4a28646da2925f6d8cac214fc0ca0e73f2ebc041f035e56e0081
Opcode Fuzzy Hash: f537f62d521216c5f1791161abf5f954c12a567fff0598ef04c7625e97623115
Instruction Fuzzy Hash: E0F08C312402059FD350FF69D449F6AB7EAEF45760F001029E85DC7260DB70A800CB94

Function 00634ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00634E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00634EDD,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634E9C
Part of subcall function 00634E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00634EAE
Part of subcall function 00634E90: FreeLibrary.KERNEL32(00000000,?,?,00634EDD,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634EFD

Part of subcall function 00634E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00673CDE,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634E62
Part of subcall function 00634E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00634E74
Part of subcall function 00634E59: FreeLibrary.KERNEL32(00000000,?,?,00673CDE,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634E87

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 74d58ad5def6377864f6ab81d024086810a607b912584bd60183f8c8b72477f0
Instruction ID: 07885ad875f8ea6c35939e434625c704427fc8f22e00941300ac7bfee9cd0d73
Opcode Fuzzy Hash: 74d58ad5def6377864f6ab81d024086810a607b912584bd60183f8c8b72477f0
Instruction Fuzzy Hash: EF11E332600305AACF54BB64DC12FADB7A7AF80711F14842DF546A62C1EE75AE059B98

Function 00668402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00668440

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a83003c97e143df8ac1cbc13a7705bde1355b15bb814d88e85f76f515e4cce55
Instruction ID: 44dfa98a98977f62da1f4757134c5665ab9602e04fa9716e0d324561722f360e
Opcode Fuzzy Hash: a83003c97e143df8ac1cbc13a7705bde1355b15bb814d88e85f76f515e4cce55
Instruction Fuzzy Hash: E611187590410AAFCB05DF68E941ADA7BF5EF48314F104199F808AB312DA31DA11CBA5

Function 00665000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00664C7D: RtlAllocateHeap.NTDLL(00000008,00631129,00000000,?,00662E29,00000001,00000364,?,?,?,0065F2DE,00663863,00701444,?,0064FDF5,?), ref: 00664CBE

_free.LIBCMT ref: 0066506C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 9d14235671bc507db613c92c89d9ea470a23ca653cdded4f527ea7f3ddf0dcf3
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 470126722047056BE3218F65D882A9AFBEAFB89370F25061DE18583280EA30A805C6B4

Function 0065E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 786674cc66fbb580c2f3a248572a95ea5f8e42a992ff8354fbe57f2622c20820
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: A4F0F932510A109ACB353A758C05B9A379B9F523B3F10071DFC21932D2CB75D50A86AD

Function 00664C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00631129,00000000,?,00662E29,00000001,00000364,?,?,?,0065F2DE,00663863,00701444,?,0064FDF5,?), ref: 00664CBE

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9931c266d3430c21f416ab3bfcc0b3759d7322764f7558f700d269894214bb9d
Instruction ID: 8a3d3d805d2784f527ff0d0ebf09ca1dd8225a5784d5fda4b29cc61226dba573
Opcode Fuzzy Hash: 9931c266d3430c21f416ab3bfcc0b3759d7322764f7558f700d269894214bb9d
Instruction Fuzzy Hash: 41F0E93160222467DB215F66DC09F9A378BBF817B1F144115FC19E6380CE30D80196E4

Function 00663820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00701444,?,0064FDF5,?,?,0063A976,00000010,00701440,006313FC,?,006313C6,?,00631129), ref: 00663852

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a7de8bf769eba6f03fac91513633cbe8d3cd27ba85e67693320586ba11711634
Instruction ID: 5d33e22edd8069155fd6e7d9e43bbd6cf5fd2c0be15ff3482d3b0901fe752c9a
Opcode Fuzzy Hash: a7de8bf769eba6f03fac91513633cbe8d3cd27ba85e67693320586ba11711634
Instruction Fuzzy Hash: E9E0ED31100234AAE7612AA79C05BDA374BAF827B1F09012CBC0693B81CF20DE0283E4

Function 00634F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634F6D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3703f1ae5f6e49c71fe0e8297434dbdb388eb8eb90bd211fe0c88b8495f65d58
Instruction ID: 0a55e132218f5282f75617118b421fbd5873341bdc32a9daf9fc8a56b067ca27
Opcode Fuzzy Hash: 3703f1ae5f6e49c71fe0e8297434dbdb388eb8eb90bd211fe0c88b8495f65d58
Instruction Fuzzy Hash: 7BF03071105751CFDB349F65D490862F7E6EF54329718C9BEE1DA82611CB31A844DF90

Function 006C2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 006C2A66

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 61795168c2fbdd3e81fc6ddf9105ad511aaa0aa2e3f20cdca81f90817105e524
Instruction ID: 5ab21b01609386a9952f4bbac224063de48dbad205781b37956bfddced8a7c9c
Opcode Fuzzy Hash: 61795168c2fbdd3e81fc6ddf9105ad511aaa0aa2e3f20cdca81f90817105e524
Instruction Fuzzy Hash: F3E0DF32354116AACB50EB74DC90EFA734EEB10390B00403EEC1AC2200EB30899286A4

Function 006330F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0063314E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: f07d8af2193a18e7719026afb1ae284e915338b342e8e503966e6d52b4e167ca
Instruction ID: 07cebef58c6b8f782fb5a55c73fc6716b35934852a18ae0f43a0983f6e75bc5d
Opcode Fuzzy Hash: f07d8af2193a18e7719026afb1ae284e915338b342e8e503966e6d52b4e167ca
Instruction Fuzzy Hash: ABF037709143149FE7529B24DC497D5BBFCA701708F0041E9A58896291DB745788CF95

Function 00632DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00632DC4

Part of subcall function 00636B57: _wcslen.LIBCMT ref: 00636B6A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 5134d7601c125d75dee388157e7dfb78d6ce37d1b160d306248b2f5c077167be
Instruction ID: bdf6bfa63726ae353a01293c6dc5d2e50c97d95172bf140f51b2ae63a1eacefb
Opcode Fuzzy Hash: 5134d7601c125d75dee388157e7dfb78d6ce37d1b160d306248b2f5c077167be
Instruction Fuzzy Hash: 6CE0CD72A001245BC7109258DC05FEA77DEDFC8790F044075FD0DD7248D964AD808694

Function 00632B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00633837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00633908

Part of subcall function 0063D730: GetInputState.USER32 ref: 0063D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00632B6B

Part of subcall function 006330F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0063314E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 36143804129eca6a85ddd02271ab02da85aa8df781445f58c8ee99b9d58509eb
Instruction ID: fe2db42188e3c155be836cabf2a1c84310421a526b1e133c10cccb072e18d050
Opcode Fuzzy Hash: 36143804129eca6a85ddd02271ab02da85aa8df781445f58c8ee99b9d58509eb
Instruction Fuzzy Hash: 50E0863170429446C648BB74A8525BDA79B9BD1365F40153EF146832A2CF74454546D9

Function 0067039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00670704,?,?,00000000,?,00670704,00000000,0000000C), ref: 006703B7

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 33866262bc672dfa310bee892d28001b858bcbb4f6b87a348bb8583b732bad6e
Instruction ID: 07a0b729b453fb791db1a86f87c45eb1cbcea6c5544fb65474823a04f3fa68de
Opcode Fuzzy Hash: 33866262bc672dfa310bee892d28001b858bcbb4f6b87a348bb8583b732bad6e
Instruction Fuzzy Hash: A5D06C3204010DBBDF028F85DD06EDA3BAAFB48714F014000FE1856420C732E821AB90

Function 00631CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00631CBC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: c4b102852f75146361b4824d967f8bee8094767c2378712f54627b8063510119
Instruction ID: 62f44e519609e124ccb26ee019ccf45dfb688e41e1c48308516c3d4877edc851
Opcode Fuzzy Hash: c4b102852f75146361b4824d967f8bee8094767c2378712f54627b8063510119
Instruction Fuzzy Hash: B5C09236280304EFF3148B80BC5EF20BB65A348B10F94D101F60DA95E3CBA62832EA58

Non-executed Functions

Function 006C9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00649BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00649BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006C961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006C965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006C969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006C96C9
SendMessageW.USER32 ref: 006C96F2
GetKeyState.USER32(00000011), ref: 006C978B
GetKeyState.USER32(00000009), ref: 006C9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006C97AE
GetKeyState.USER32(00000010), ref: 006C97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006C97E9
SendMessageW.USER32 ref: 006C9810
SendMessageW.USER32(?,00001030,?,006C7E95), ref: 006C9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006C992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006C9941
SetCapture.USER32(?), ref: 006C994A
ClientToScreen.USER32(?,?), ref: 006C99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006C99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006C99D6
ReleaseCapture.USER32 ref: 006C99E1
GetCursorPos.USER32(?), ref: 006C9A19
ScreenToClient.USER32(?,?), ref: 006C9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 006C9A80
SendMessageW.USER32 ref: 006C9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 006C9AEB
SendMessageW.USER32 ref: 006C9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006C9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006C9B4A
GetCursorPos.USER32(?), ref: 006C9B68
ScreenToClient.USER32(?,?), ref: 006C9B75
GetParent.USER32(?), ref: 006C9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 006C9BFA
SendMessageW.USER32 ref: 006C9C2B
ClientToScreen.USER32(?,?), ref: 006C9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006C9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 006C9CDE
SendMessageW.USER32 ref: 006C9D01
ClientToScreen.USER32(?,?), ref: 006C9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006C9D82

Part of subcall function 00649944: GetWindowLongW.USER32(?,000000EB), ref: 00649952

GetWindowLongW.USER32(?,000000F0), ref: 006C9E05

Strings

p#p, xrefs: 006C9990
@GUI_DRAGID, xrefs: 006C997D
F, xrefs: 006C9D07

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#p
API String ID: 3429851547-3138188465
Opcode ID: 44704d2ac5b591f9ad2d7e008839570b7cab23315e4e3c82d1721c08fff1bce5
Instruction ID: d6b99af577179a3026abdbe5bb1fda63f46583b455db65072f8ee89aad343d0f
Opcode Fuzzy Hash: 44704d2ac5b591f9ad2d7e008839570b7cab23315e4e3c82d1721c08fff1bce5
Instruction Fuzzy Hash: A9426834204241AFEB24CF25C848FBABBE6EF49320F14461DF699972A1D731E961CB65

Function 006C4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006C48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 006C4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 006C4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 006C494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 006C495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 006C497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006C49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006C49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 006C4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006C4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 006C4A7E
IsMenu.USER32(?), ref: 006C4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006C4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006C4B20
GetWindowLongW.USER32(?,000000F0), ref: 006C4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 006C4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 006C4C82
wsprintfW.USER32 ref: 006C4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006C4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 006C4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006C4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006C4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 006C4D5A

Strings

%d/%02d/%02d, xrefs: 006C4CA8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 998753aecea9c1d9d3621ae10a76ea01ccc027557e3ef307d1f0f3f543b6d4a7
Instruction ID: ce6c999fb0f506f0ae865948301dbc6c32a39a9dafa0b45a0c9c6dd719689342
Opcode Fuzzy Hash: 998753aecea9c1d9d3621ae10a76ea01ccc027557e3ef307d1f0f3f543b6d4a7
Instruction Fuzzy Hash: 5012DE71600214ABEB249F29CC59FFE7BBAEF85320F10412DF51AEA2E1DB749941CB50

Function 0064F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0064F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0068F474
IsIconic.USER32(00000000), ref: 0068F47D
ShowWindow.USER32(00000000,00000009), ref: 0068F48A
SetForegroundWindow.USER32(00000000), ref: 0068F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0068F4AA
GetCurrentThreadId.KERNEL32 ref: 0068F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0068F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0068F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0068F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0068F4DE
SetForegroundWindow.USER32(00000000), ref: 0068F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0068F4F6
keybd_event.USER32(00000012,00000000), ref: 0068F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0068F50B
keybd_event.USER32(00000012,00000000), ref: 0068F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0068F519
keybd_event.USER32(00000012,00000000), ref: 0068F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0068F528
keybd_event.USER32(00000012,00000000), ref: 0068F52D
SetForegroundWindow.USER32(00000000), ref: 0068F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0068F557

Strings

Shell_TrayWnd, xrefs: 0068F46F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 26c00bf88f65f903a6eb1f9b9ba7f931a4e0c47b45f1ebe5b7536409eb9b54d7
Instruction ID: 8b66b126e64079651b1dcd9a356553a1b814716678315c5a46ba1c8e7ae4b553
Opcode Fuzzy Hash: 26c00bf88f65f903a6eb1f9b9ba7f931a4e0c47b45f1ebe5b7536409eb9b54d7
Instruction Fuzzy Hash: 99318671A40218BFEB206BB55C4AFBF7E6EEB44B60F101026F605E61D1C7B05D11ABA1

Function 00691201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 006916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0069170D
Part of subcall function 006916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0069173A
Part of subcall function 006916C3: GetLastError.KERNEL32 ref: 0069174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00691286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 006912A8
CloseHandle.KERNEL32(?), ref: 006912B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006912D1
GetProcessWindowStation.USER32 ref: 006912EA
SetProcessWindowStation.USER32(00000000), ref: 006912F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00691310

Part of subcall function 006910BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006911FC), ref: 006910D4
Part of subcall function 006910BF: CloseHandle.KERNEL32(?,?,006911FC), ref: 006910E9

Strings

default, xrefs: 0069130B
Zo, xrefs: 00691392
, xrefs: 0069125A
winsta0, xrefs: 006912CC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zo
API String ID: 22674027-784821077
Opcode ID: 6561eca0723ecf78e23357f14d1b3f72e98ab0c8f67621f7948fb381b9ef4cb1
Instruction ID: 67d2b40bded6f2fdea77959f674719716c83961313ccb0e0482560cc162d75d2
Opcode Fuzzy Hash: 6561eca0723ecf78e23357f14d1b3f72e98ab0c8f67621f7948fb381b9ef4cb1
Instruction Fuzzy Hash: 56819F7190020AAFEF119FA4DC49FEE7BFEEF09B14F244119F915AA6A0C7318945CB64

Function 00690B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00691114
Part of subcall function 006910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00690B9B,?,?,?), ref: 00691120
Part of subcall function 006910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00690B9B,?,?,?), ref: 0069112F
Part of subcall function 006910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00690B9B,?,?,?), ref: 00691136
Part of subcall function 006910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0069114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00690BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00690C00
GetLengthSid.ADVAPI32(?), ref: 00690C17
GetAce.ADVAPI32(?,00000000,?), ref: 00690C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00690C6D
GetLengthSid.ADVAPI32(?), ref: 00690C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00690C8C
HeapAlloc.KERNEL32(00000000), ref: 00690C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00690CB4
CopySid.ADVAPI32(00000000), ref: 00690CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00690CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00690D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00690D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00690D45
HeapFree.KERNEL32(00000000), ref: 00690D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00690D55
HeapFree.KERNEL32(00000000), ref: 00690D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00690D65
HeapFree.KERNEL32(00000000), ref: 00690D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00690D78
HeapFree.KERNEL32(00000000), ref: 00690D7F

Part of subcall function 00691193: GetProcessHeap.KERNEL32(00000008,00690BB1,?,00000000,?,00690BB1,?), ref: 006911A1
Part of subcall function 00691193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00690BB1,?), ref: 006911A8
Part of subcall function 00691193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00690BB1,?), ref: 006911B7

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 8734297409bf20b21cd87233d632060ca43719918f36dfea5e68738ae4cb2fd6
Instruction ID: 792acddbdd1a53eb288791d8bd570fc9570ecd1d8557b33e29050b84e6dd6447
Opcode Fuzzy Hash: 8734297409bf20b21cd87233d632060ca43719918f36dfea5e68738ae4cb2fd6
Instruction Fuzzy Hash: 70714A72A0020AEFEF10DFA5DC44FEEBBBEBF08314F144515E919A6691D771A905CB60

Function 006AEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(006CCC08), ref: 006AEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 006AEB37
GetClipboardData.USER32(0000000D), ref: 006AEB43
CloseClipboard.USER32 ref: 006AEB4F
GlobalLock.KERNEL32(00000000), ref: 006AEB87
CloseClipboard.USER32 ref: 006AEB91
GlobalUnlock.KERNEL32(00000000), ref: 006AEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 006AEBC9
GetClipboardData.USER32(00000001), ref: 006AEBD1
GlobalLock.KERNEL32(00000000), ref: 006AEBE2
GlobalUnlock.KERNEL32(00000000), ref: 006AEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 006AEC38
GetClipboardData.USER32(0000000F), ref: 006AEC44
GlobalLock.KERNEL32(00000000), ref: 006AEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 006AEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006AEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 006AECD2
GlobalUnlock.KERNEL32(00000000), ref: 006AECF3
CountClipboardFormats.USER32 ref: 006AED14
CloseClipboard.USER32 ref: 006AED59

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 72c43d978252b1190be8660c81491d76a84df78745ed0b14901c7ebe020dfa56
Instruction ID: f2523c48b63f77485bef0c8f15d46cac33fb976c4c33f9ccd11396adfdd15f4d
Opcode Fuzzy Hash: 72c43d978252b1190be8660c81491d76a84df78745ed0b14901c7ebe020dfa56
Instruction Fuzzy Hash: FB61AD34204201AFD300EF24D989F7AB7A6EF85724F14951DF45A972A2DB72DD06CFA2

Function 006A698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006A69BE
FindClose.KERNEL32(00000000), ref: 006A6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006A6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006A6A75

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 006A6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 006A6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 006A6B32
%4d, xrefs: 006A6BB1
%02d, xrefs: 006A6C00, 006A6C0A, 006A6C5A, 006A6CAA, 006A6CFA, 006A6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 006A6B6A
%03d, xrefs: 006A6DA2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 137c3f431c91d4d77b0f83252baf2ca925c3c9dd8baac43cf90a87d9ac839ed3
Instruction ID: 8823fb1a760c9164859259d8e6b3cfcfcf6c87d3cd938c9a7019691847a57416
Opcode Fuzzy Hash: 137c3f431c91d4d77b0f83252baf2ca925c3c9dd8baac43cf90a87d9ac839ed3
Instruction Fuzzy Hash: 8CD174B2508300AFC754EBA4C885EABB7EDEF89704F04491DF585D7291EB74DA04CBA2

Function 006A9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 006A9663
GetFileAttributesW.KERNEL32(?), ref: 006A96A1
SetFileAttributesW.KERNEL32(?,?), ref: 006A96BB
FindNextFileW.KERNEL32(00000000,?), ref: 006A96D3
FindClose.KERNEL32(00000000), ref: 006A96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 006A96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 006A974A
SetCurrentDirectoryW.KERNEL32(006F6B7C), ref: 006A9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 006A9772
FindClose.KERNEL32(00000000), ref: 006A977F
FindClose.KERNEL32(00000000), ref: 006A978F

Strings

*.*, xrefs: 006A96F5

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: f2e436552b89c8e7ff428ec3ad7a4aabb92e1777b2df654561ae35e69034ae31
Instruction ID: 79206b1618fb39e1e1fdaa2878d38b340883de2a538f43778e866d3463983663
Opcode Fuzzy Hash: f2e436552b89c8e7ff428ec3ad7a4aabb92e1777b2df654561ae35e69034ae31
Instruction Fuzzy Hash: A431A2325402196EDB14EFB4EC59EEE77AEDF4A321F204155F919E2190DB34DE448E34

Function 006A979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 006A97BE
FindNextFileW.KERNEL32(00000000,?), ref: 006A9819
FindClose.KERNEL32(00000000), ref: 006A9824
FindFirstFileW.KERNEL32(*.*,?), ref: 006A9840
SetCurrentDirectoryW.KERNEL32(?), ref: 006A9890
SetCurrentDirectoryW.KERNEL32(006F6B7C), ref: 006A98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 006A98B8
FindClose.KERNEL32(00000000), ref: 006A98C5
FindClose.KERNEL32(00000000), ref: 006A98D5

Part of subcall function 0069DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0069DB00

Strings

*.*, xrefs: 006A983B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 025a5e82d247093eb4659b4bfc4f661e4e303da90f472d09d47e5f5ae5cfa06f
Instruction ID: 417ce41f789676fe01c04ba9426309303046d96417fc66176afe1f261bbf8be7
Opcode Fuzzy Hash: 025a5e82d247093eb4659b4bfc4f661e4e303da90f472d09d47e5f5ae5cfa06f
Instruction Fuzzy Hash: C03190315006196EDB10EFA4EC48EEE77BE9F47320F2445A9E918A2291DB38DE458F74

Function 006BBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006BB6AE,?,?), ref: 006BC9B5
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BC9F1
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BCA68
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006BBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 006BBFA9
RegCloseKey.ADVAPI32(00000000), ref: 006BBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006BC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006BC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 006BC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 006BC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 006BC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 006BC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006BC382
RegCloseKey.ADVAPI32(00000000), ref: 006BC38F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 8016553baca1881484ced8cade7e057dfce3582898dbfcb4f8b98b2cf793bb98
Instruction ID: 3bedabb73069f2f6c006ece26724af19137115df8557319eeb143c9eb546d7b7
Opcode Fuzzy Hash: 8016553baca1881484ced8cade7e057dfce3582898dbfcb4f8b98b2cf793bb98
Instruction Fuzzy Hash: 5F026EB16042009FD714DF28C895E6AB7E6EF89314F18849DF44ADB3A2DB31ED45CB91

Function 006A8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 006A8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 006A8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006A8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006A8310
SetCurrentDirectoryW.KERNEL32(?), ref: 006A8324
SetCurrentDirectoryW.KERNEL32(?), ref: 006A8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006A838C
SetCurrentDirectoryW.KERNEL32(?), ref: 006A8395

Strings

*.*, xrefs: 006A839B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 689d92a18364b58ca84c54f96afa32d3e6aa7e5fabd29c9011568ac574852c16
Instruction ID: e3ab84d0803f6b6ec73c8aa29243d6e1850db16474780aca5fd8a06872946a08
Opcode Fuzzy Hash: 689d92a18364b58ca84c54f96afa32d3e6aa7e5fabd29c9011568ac574852c16
Instruction Fuzzy Hash: AF6159725043059FCB50EF60C8409AEB3EABF89320F04891EF98997251DB35ED45CF96

Function 0069D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00633AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00633A97,?,?,00632E7F,?,?,?,00000000), ref: 00633AC2

Part of subcall function 0069E199: GetFileAttributesW.KERNEL32(?,0069CF95), ref: 0069E19A

FindFirstFileW.KERNEL32(?,?), ref: 0069D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0069D1DD
MoveFileW.KERNEL32(?,?), ref: 0069D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0069D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0069D237

Part of subcall function 0069D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0069D21C,?,?), ref: 0069D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0069D253
FindClose.KERNEL32(00000000), ref: 0069D264

Strings

\*.*, xrefs: 0069D0CD, 0069D0D6, 0069D0EB

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: a0c6bd9545643ceb64bfc0714b7583d50ae126ae904622f6285f47612d38a264
Instruction ID: cffd477c6c9714cee1300e8cb8c2b51b8f0f6652c937e18d271e564ecca89333
Opcode Fuzzy Hash: a0c6bd9545643ceb64bfc0714b7583d50ae126ae904622f6285f47612d38a264
Instruction Fuzzy Hash: DD617C31C0514DAACF45EBE0CA929FDB7BBAF55300F204069E40277291EB31AF09DBA4

Function 006AED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 006AED91
EmptyClipboard.USER32 ref: 006AED97
GlobalAlloc.KERNEL32(00000002,?), ref: 006AEDAC
CloseClipboard.USER32 ref: 006AEEA3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: da61da4cccb95e679cfcdff1371c314c9cac22162e6f76f4409679312cd695d4
Instruction ID: 312bc809b9f52f7a81027fb5d9e6d9818e4dce8bb762290469179648d76be5f9
Opcode Fuzzy Hash: da61da4cccb95e679cfcdff1371c314c9cac22162e6f76f4409679312cd695d4
Instruction Fuzzy Hash: E0416A35604611AFE720EF15D888F69BBA6BF45329F14C09DE4198BB62C736ED42CF90

Function 0069E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006916C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0069170D
Part of subcall function 006916C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0069173A
Part of subcall function 006916C3: GetLastError.KERNEL32 ref: 0069174A

ExitWindowsEx.USER32(?,00000000), ref: 0069E932

Strings

, xrefs: 0069E95C
@, xrefs: 0069E925
SeShutdownPrivilege, xrefs: 0069E902
, xrefs: 0069E920

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 96ae2261284b652a2e1db2f85b78cf8efb570c7a2222b29cc3ff8ac5433cf966
Instruction ID: 1abb52d0fd3351a7bc838bb6246296e64c2e228927882e539e35fe3b0fafc746
Opcode Fuzzy Hash: 96ae2261284b652a2e1db2f85b78cf8efb570c7a2222b29cc3ff8ac5433cf966
Instruction Fuzzy Hash: 5501F972B10211AFEF54A6B49C8AFFF726EA714761F150426FD03E26D1D9A25C4181E4

Function 006B1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006B1276
WSAGetLastError.WSOCK32 ref: 006B1283
bind.WSOCK32(00000000,?,00000010), ref: 006B12BA
WSAGetLastError.WSOCK32 ref: 006B12C5
closesocket.WSOCK32(00000000), ref: 006B12F4
listen.WSOCK32(00000000,00000005), ref: 006B1303
WSAGetLastError.WSOCK32 ref: 006B130D
closesocket.WSOCK32(00000000), ref: 006B133C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 1d305198cf80cab5bb669857d9afff877ed5a4c2c8a11005ccbbc8a4a9c62a15
Instruction ID: 809eb53e7818f17e62ef87006ab4d8a2561e98b45a7417f829997a6eeee01f65
Opcode Fuzzy Hash: 1d305198cf80cab5bb669857d9afff877ed5a4c2c8a11005ccbbc8a4a9c62a15
Instruction Fuzzy Hash: CF416071600100AFD710DF64C498BAABBE6AF46324F588198E9569F396C771EDC1CBE1

Function 0066B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0066B9D4
_free.LIBCMT ref: 0066B9F8
_free.LIBCMT ref: 0066BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006D3700), ref: 0066BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0070121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0066BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00701270,000000FF,?,0000003F,00000000,?), ref: 0066BC36
_free.LIBCMT ref: 0066BD4B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 3d5c5d4fbe460054a7404d459edc734daeeed20bc2f5b4a02921b40fef8d8fad
Instruction ID: 8cd827e47933ee21310ac3e70945d00115ee38873eade524ef555246b1184a1c
Opcode Fuzzy Hash: 3d5c5d4fbe460054a7404d459edc734daeeed20bc2f5b4a02921b40fef8d8fad
Instruction Fuzzy Hash: 53C12671A04205EFCB209F69CC41AEA7BBBEF41310F18629EE494D7352EB309E81CB54

Function 0069D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00633AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00633A97,?,?,00632E7F,?,?,?,00000000), ref: 00633AC2

Part of subcall function 0069E199: GetFileAttributesW.KERNEL32(?,0069CF95), ref: 0069E19A

FindFirstFileW.KERNEL32(?,?), ref: 0069D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0069D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0069D481
FindClose.KERNEL32(00000000), ref: 0069D498
FindClose.KERNEL32(00000000), ref: 0069D4A1

Strings

\*.*, xrefs: 0069D3F2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: cdae9be50fb771ad963ce67df1a4a37cc8ae1f75f63beaf8738d01371185076d
Instruction ID: 80bb7f84c74e7706707749613ac310b28ab483730eb3b29cb74978ea8049637a
Opcode Fuzzy Hash: cdae9be50fb771ad963ce67df1a4a37cc8ae1f75f63beaf8738d01371185076d
Instruction Fuzzy Hash: 233180710083859FC744EF64D8918AFB7EEAE91710F444E2DF4D593291EB30AA09DBA7

Function 0066E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0066E645

Strings

1#INF, xrefs: 0066F852
1#IND, xrefs: 0066F83D
1#QNAN, xrefs: 0066F84B
1#SNAN, xrefs: 0066F844

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 394d06717f5209dc2950c209544e15646a25e54c85a5686582eeb882cb14e821
Instruction ID: 78f5f296f8f5d69b5852b3ccadfebfd4fc7e0e54c9e3f9d64b417092e3921666
Opcode Fuzzy Hash: 394d06717f5209dc2950c209544e15646a25e54c85a5686582eeb882cb14e821
Instruction Fuzzy Hash: 94C26B71E086288FDB65CF28DD407EAB7B6EB48305F1441EAD84EE7241E775AE858F40

Function 006A648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006A64DC
CoInitialize.OLE32(00000000), ref: 006A6639
CoCreateInstance.OLE32(006CFCF8,00000000,00000001,006CFB68,?), ref: 006A6650
CoUninitialize.OLE32 ref: 006A68D4

Strings

.lnk, xrefs: 006A64BA, 006A6524, 006A65E0

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: e6d7035b0c2b68d35bf729426309ce69f8f6f0ba53bc58fdff55da427d564c2e
Instruction ID: 840df65eca232902ba1fc3673c4cf2fe1863c3c4b5e0944315809551cc1ce56f
Opcode Fuzzy Hash: e6d7035b0c2b68d35bf729426309ce69f8f6f0ba53bc58fdff55da427d564c2e
Instruction Fuzzy Hash: 69D13971508201AFD354EF24C881E6BB7EAFF95704F04496DF5958B2A1EB70ED05CBA2

Function 006B22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 006B22E8

Part of subcall function 006AE4EC: GetWindowRect.USER32(?,?), ref: 006AE504

GetDesktopWindow.USER32 ref: 006B2312
GetWindowRect.USER32(00000000), ref: 006B2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 006B2355
GetCursorPos.USER32(?), ref: 006B2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006B23DF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 6bcaf4193dd488c266be28b63a14ca1ec5a5b7f595fb436389a67f12da666cc0
Instruction ID: 498a445655595eaf14a3fdd775bc022719ae3624af83a598b68cd4ca1156ef50
Opcode Fuzzy Hash: 6bcaf4193dd488c266be28b63a14ca1ec5a5b7f595fb436389a67f12da666cc0
Instruction Fuzzy Hash: 5631A1B25043169BDB20DF54C849FABB7EAFF84314F00091DF58997191D735E949CB92

Function 006A9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 006A9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 006A9C8B

Part of subcall function 006A3874: GetInputState.USER32 ref: 006A38CB
Part of subcall function 006A3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 006A9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 006A9C75

Strings

*.*, xrefs: 006A9B5D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 33c70f91ddcfdc13928048b7a0f4baabca1a52a1fc99e370c770020737224354
Instruction ID: d3c607947e202a06e5e0e9d55eb8f05a310310185c4203731537a92115e8c609
Opcode Fuzzy Hash: 33c70f91ddcfdc13928048b7a0f4baabca1a52a1fc99e370c770020737224354
Instruction Fuzzy Hash: EC4183719046199FDF54EFA4CC49AEE7BB6EF06310F244159F805A2291DB309E44CFB4

Function 0064997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00649BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00649BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00649A4E
GetSysColor.USER32(0000000F), ref: 00649B23
SetBkColor.GDI32(?,00000000), ref: 00649B36

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 2f9eca60250f6e0b61c166e7f048b310a09d689afcfa5e5a17cf4e07e08e039a
Instruction ID: 24e3f4d327f549f0fd39a5e12553b35da3616382968f5770b3b40d3065df0a5d
Opcode Fuzzy Hash: 2f9eca60250f6e0b61c166e7f048b310a09d689afcfa5e5a17cf4e07e08e039a
Instruction Fuzzy Hash: 38A1F970148454EEE729BA3C8C98EFB269FDB42350B25431DF502D6791CA25DD82D37A

Function 006B1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006B307A
Part of subcall function 006B304E: _wcslen.LIBCMT ref: 006B309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006B185D
WSAGetLastError.WSOCK32 ref: 006B1884
bind.WSOCK32(00000000,?,00000010), ref: 006B18DB
WSAGetLastError.WSOCK32 ref: 006B18E6
closesocket.WSOCK32(00000000), ref: 006B1915

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 4e6ddc8a55cc769b6217d4504be770913bd70b1da6f7af6dd59b133babecaa94
Instruction ID: 5bf0a981ec8374f364c828c039c6e6904e434e897f45a7e1fd092e3f4eb69a54
Opcode Fuzzy Hash: 4e6ddc8a55cc769b6217d4504be770913bd70b1da6f7af6dd59b133babecaa94
Instruction Fuzzy Hash: 7251B3B5A00210AFEB10AF24C896F6A77E6AB45718F44805CFA155F3D3C771AD418BE1

Function 006C1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006C1CC0
IsWindowEnabled.USER32 ref: 006C1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 006C1CDB
IsIconic.USER32 ref: 006C1CE9
IsZoomed.USER32 ref: 006C1CF7

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 310c34b8f9f6e13c7e91e05e91e88906f0dc06a63e3a2aaee66cc776c579c280
Instruction ID: 81039819e2883413d5a93af0d1fd3496435df8c3d38eb418cf00b3b563380fd9
Opcode Fuzzy Hash: 310c34b8f9f6e13c7e91e05e91e88906f0dc06a63e3a2aaee66cc776c579c280
Instruction Fuzzy Hash: 8A219E317402115FD7208F1AC894F7A7BA6EF87325F19805DE84A8B352C775E842CB94

Function 00638060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 0063843C
VUUU, xrefs: 006383FA
ERCP, xrefs: 0063813C
VUUU, xrefs: 006383E8
VUUU, xrefs: 00675DF0

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 1ed75ecd617b965c64ed870610674b7f6f3edcf0e18f2b78c5756b04cc6b29b9
Instruction ID: 3c68d5a388ef493b581bc8be30426707f2e487582b2615c42c75ec73a978df27
Opcode Fuzzy Hash: 1ed75ecd617b965c64ed870610674b7f6f3edcf0e18f2b78c5756b04cc6b29b9
Instruction Fuzzy Hash: A8A23C71A0061ACFDF24CF58C9517EEB7B3BB54314F2481A9E81AA7385DB749E81CB90

Function 00698298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006982AA

Strings

(, xrefs: 006982F0
tbo, xrefs: 006984F4
|, xrefs: 006982DA

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbo$|
API String ID: 1659193697-2343487118
Opcode ID: b1bee2b983fa0172727466ad6e76b635ef559e6e6acadadfe811b89d5de92dc6
Instruction ID: d62a8c293d8f25472e71f9e1059721989b243b8a5a3c914988c2d6c695239da8
Opcode Fuzzy Hash: b1bee2b983fa0172727466ad6e76b635ef559e6e6acadadfe811b89d5de92dc6
Instruction Fuzzy Hash: 49324474A007059FCB28CF59C481AAAB7F5FF48710B15C46EE49ADB7A1EB70E941CB44

Function 0069AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0069AAAC
SetKeyboardState.USER32(00000080), ref: 0069AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0069AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0069AB88

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1cb82b96ba282929649095405798940d22583f4fe6eb26712cc5efac9f3f2d6d
Instruction ID: 8e752b42933bfef0ba15b44d9c6afcdae9f9589767abda2adf9654a809cd4f6a
Opcode Fuzzy Hash: 1cb82b96ba282929649095405798940d22583f4fe6eb26712cc5efac9f3f2d6d
Instruction Fuzzy Hash: D6310930A40248AFEF358BA9CC05BFA77EFAB44320F04421AE5C556AD4D7749981C7E6

Function 006ACE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 006ACE89
GetLastError.KERNEL32(?,00000000), ref: 006ACEEA
SetEvent.KERNEL32(?,?,00000000), ref: 006ACEFE

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: f5f3ab162f6048a8ceb610abee09ebe0a6d78b00963c450ec37cb9d60aa04218
Instruction ID: 3943683fd7bbffa7e07c55b87dea271796f03de7cc08c7b275d53e01b74c979e
Opcode Fuzzy Hash: f5f3ab162f6048a8ceb610abee09ebe0a6d78b00963c450ec37cb9d60aa04218
Instruction Fuzzy Hash: F5219DB1500705AFEB20EF65C948BA677FAEF42364F10442EE64692251E774EE09CFA4

Function 006A5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006A5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 006A5D17
FindClose.KERNEL32(?), ref: 006A5D5F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b7a065724cccb17cd73eb0585f326d118f57ad40dd2fa6079f1a2cce4559498d
Instruction ID: 5063774f6e5af436a536ff5909b931377ba2fb66152fd59e6eacb43139addf34
Opcode Fuzzy Hash: b7a065724cccb17cd73eb0585f326d118f57ad40dd2fa6079f1a2cce4559498d
Instruction Fuzzy Hash: C8519A74604A019FC714EF28C494EAAB7E6FF4A324F14855DE99A8B3A1CB30ED05CF95

Function 00662622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0066271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00662724
UnhandledExceptionFilter.KERNEL32(?), ref: 00662731

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 39a46545a31bc3bd4b3f35650f188db1ab2d9ae50f4648436d5b4a2be0237f40
Instruction ID: b6b62b22d15a446c2cb29286d45835308533a68c7a372ebd21067b156e727d04
Opcode Fuzzy Hash: 39a46545a31bc3bd4b3f35650f188db1ab2d9ae50f4648436d5b4a2be0237f40
Instruction Fuzzy Hash: D931D47490121DABCB61DF68DC88BDCBBB9AF08310F5041EAE80CA7261E7309F858F44

Function 006A51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006A51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006A5238
SetErrorMode.KERNEL32(00000000), ref: 006A52A1

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 3cbccf0d3364c012f496ebb1eaf3601d23d4182c6b2c234d49bda9cab13d1325
Instruction ID: 98140618dc40d7b1427caa9e06c32cc2c0080d95679f3ab2310fdafbfed6d798
Opcode Fuzzy Hash: 3cbccf0d3364c012f496ebb1eaf3601d23d4182c6b2c234d49bda9cab13d1325
Instruction Fuzzy Hash: F4312B75A00518DFDB00DF55D884EADBBB6FF49314F088099E80AAB362DB31ED56CB90

Function 006916C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0064FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00650668
Part of subcall function 0064FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00650685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0069170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0069173A
GetLastError.KERNEL32 ref: 0069174A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 9a23680f15d3a72476d857ed7c25505169ae75c88d9bf8fbd6570763b1bd1040
Instruction ID: 4a00ee551eb3b95209e696105e6c7e34dcf6f3768fedc0d447525017bd21ec22
Opcode Fuzzy Hash: 9a23680f15d3a72476d857ed7c25505169ae75c88d9bf8fbd6570763b1bd1040
Instruction Fuzzy Hash: C511C1B2900305AFE7189F54EC86D6AB7BEEF04724B24852EE0565B641EB70BC428B24

Function 0069D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0069D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0069D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0069D650

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 336c100028f41cb2cdbeeaf1ba5afed24f806b5581d455cbaa973bb77dcd2e35
Instruction ID: e1c0334a13c671c7ff8b4361ea26cac97015c6b4664f8a098ec864da4fd39065
Opcode Fuzzy Hash: 336c100028f41cb2cdbeeaf1ba5afed24f806b5581d455cbaa973bb77dcd2e35
Instruction Fuzzy Hash: 22115E75E05228BFDB108F95EC45FAFBBBDEB45B60F108125F908E7290D6704A058BA1

Function 00691663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0069168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006916A1
FreeSid.ADVAPI32(?), ref: 006916B1

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 48d5c038f44badc6819de66be5f298489a5ab38246ac8231dda8dea53edcd150
Instruction ID: df088e39bdc9c63eb06a92fa53cf962e505dd3027147b52af38e6da27c13662e
Opcode Fuzzy Hash: 48d5c038f44badc6819de66be5f298489a5ab38246ac8231dda8dea53edcd150
Instruction Fuzzy Hash: 20F0F471A50309FBDF00DFE49C89EAEBBBDFB08614F504565E901E2181E775AA448A54

Function 0066C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0066C36C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 5cc255faeee874b6777493a7a34bfa8e6e3c44b3f40edf7276642911b745d1ea
Instruction ID: 798efdd356e91411b01402a9d96b71d724735e1355e343955b4bb18a1b7aa076
Opcode Fuzzy Hash: 5cc255faeee874b6777493a7a34bfa8e6e3c44b3f40edf7276642911b745d1ea
Instruction Fuzzy Hash: BA413872500A19AFCB209FB9CC48DFB77BAEB84324F10426DF945D7280E6319E418B54

Function 0068D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0068D28C

Strings

X64, xrefs: 0068D2A8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 86559c9116330f4830d089c26f1ae2c3caacfe4312e1216b294946486cbfd94b
Instruction ID: c44b57c11e91a3507c5745e19f917f739eb5226ceda83fd5655943bb9182de2e
Opcode Fuzzy Hash: 86559c9116330f4830d089c26f1ae2c3caacfe4312e1216b294946486cbfd94b
Instruction Fuzzy Hash: 69D0CAB480112DEACB90DBA0EC88DEAB3BDBB04315F100292F20AA2040DB30964A9F20

Function 0065CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 2a5c10fd3d67b67abcc21792425a7625aec9c598bfd205ddd164dd72c7a62caa
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 34020D71E002199FDF14CFA9C8806EDBBF2EF48325F25816AD819E7344D731AA45CB94

Function 0063CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#p, xrefs: 0063CF7F
Variable is not of type 'Object'., xrefs: 00680C40

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#p
API String ID: 0-30852625
Opcode ID: d91823486572c2b60d0ae6a91f68b39523414a954a776e17b67dde382171c479
Instruction ID: 31da532aaf3a73e9205265478759446f49a50c5431f3fb175a67e61a3e04a0d1
Opcode Fuzzy Hash: d91823486572c2b60d0ae6a91f68b39523414a954a776e17b67dde382171c479
Instruction Fuzzy Hash: F8329A74900218DBDF54EF94C885AEDB7B6BF04314F148559F806BB392DB35AE4ACBA0

Function 006A68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006A6918
FindClose.KERNEL32(00000000), ref: 006A6961

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 6c6d41885a24a09d7ed314eb08f2106dd06f875b74152ee66e9ba5a175bc4c5d
Instruction ID: 7b72781c792d83b889bba65911e5b17b25387c427b6263b0e730c7e03a2ed717
Opcode Fuzzy Hash: 6c6d41885a24a09d7ed314eb08f2106dd06f875b74152ee66e9ba5a175bc4c5d
Instruction Fuzzy Hash: 0C117F756042019FC710DF29D484A16BBE6EF85328F18C69DF4698B7A2CB34EC05CB91

Function 006A37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,006B4891,?,?,00000035,?), ref: 006A37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,006B4891,?,?,00000035,?), ref: 006A37F4

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 2fbc23cd2f4db2f680d69e24bb4a145cbb30ee3bb7cbef32284a9c5d7ee9bbe6
Instruction ID: 62266579c2929837fed518eb25a5ebde1b04df6377ad3db22863d4d37d03767b
Opcode Fuzzy Hash: 2fbc23cd2f4db2f680d69e24bb4a145cbb30ee3bb7cbef32284a9c5d7ee9bbe6
Instruction Fuzzy Hash: 77F0E5B16043282AE76067669C4DFEB3AAFEFC6771F000165F50DD2281D9A09D44CAB4

Function 0069B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0069B25D
keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 0069B270

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 2c50d5b5ab4baec2e90383179be697e87d29fc3f1b32903d775f1de7e34a6251
Instruction ID: 6c19522dfa1e990bdaf46c950c2807d6c659f7f058bd6ee825c7d5b18600f41d
Opcode Fuzzy Hash: 2c50d5b5ab4baec2e90383179be697e87d29fc3f1b32903d775f1de7e34a6251
Instruction Fuzzy Hash: F5F01D7180424DABDF059FA0D805BFE7BB5FF04315F00901AF955A5191C37996119F94

Function 006910BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006911FC), ref: 006910D4
CloseHandle.KERNEL32(?,?,006911FC), ref: 006910E9

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 66f33a39b7e42b3626710c7735acd9696879843b2a4cd4b607935645986f1407
Instruction ID: 55b4578ca68ec749521e6b29ce1951f4eec6be1c7c100ab1d8ae2d9044146fbc
Opcode Fuzzy Hash: 66f33a39b7e42b3626710c7735acd9696879843b2a4cd4b607935645986f1407
Instruction Fuzzy Hash: F8E04F32004600AEE7252B11FC05E737BAAEF04320B24882DF4AA804B1DB626C90DB14

Function 0066676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00666766,?,?,00000008,?,?,0066FEFE,00000000), ref: 00666998

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c890714334a4def127d4f45537309f9612e71027601baa12bb5031e81f6ba51a
Instruction ID: f6fa20924947463ee1f935c0a3fc54afd5857e8393062139d414c6ac90d08c07
Opcode Fuzzy Hash: c890714334a4def127d4f45537309f9612e71027601baa12bb5031e81f6ba51a
Instruction Fuzzy Hash: B9B15B316106099FD715CF28D48ABA57BE2FF45364F25865CF89ACF2A2C335E982CB40

Function 0064B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0068851F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 26dcfff8deeec5d17401768004d0077ce4d9c8928149e78ef3750a9ec46dbfb8
Instruction ID: dbb9db26788adfec4f7337a12b6e2c0b66e364e2ed7e5481bad0d65b68812a4b
Opcode Fuzzy Hash: 26dcfff8deeec5d17401768004d0077ce4d9c8928149e78ef3750a9ec46dbfb8
Instruction Fuzzy Hash: D51260719002299FCB64DF98C8816EEB7F6FF48710F54819AE849EB255DB349E81CF90

Function 006AEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 006AEABD

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: fb38149ddfcbba8080c81f87db5e7db74164d5b0a80edc5d254093b51151fb0c
Instruction ID: 7161d6821cb58be51cd47f9d529ba0b4b2010dcac60ad1a44a2ebbc644c0cd3f
Opcode Fuzzy Hash: fb38149ddfcbba8080c81f87db5e7db74164d5b0a80edc5d254093b51151fb0c
Instruction Fuzzy Hash: E9E01A362002049FC710EF5AD804E9AB7EAAF99770F00841AFD49DB351DA71AC418B90

Function 006509D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,006503EE), ref: 006509DA

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 686c81985f017fb1e25badaf16a2006008a5359dc85a356d3c6c71ac8ce1930a
Instruction ID: 77a226791a44e208a7140c123c9f26d676dd599d9c70aff9223e11900a5510db
Opcode Fuzzy Hash: 686c81985f017fb1e25badaf16a2006008a5359dc85a356d3c6c71ac8ce1930a
Instruction Fuzzy Hash:

Function 0065781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0065798B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d23b7b77322a9305e16b42764d9a0a3d73d24158059411cb44c55e3c2bef5d21
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: C3518B7161C7055BDB388568B85D7FE638B9B12303F18052EDC82D7782CA15EE0ED36A

Function 006A2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&p, xrefs: 006A2053

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: 0&p
API String ID: 0-1223806618
Opcode ID: d3c38111ef881a3099e0e8c7b45a58cd46f41db91b859377ca6bee7aecea5762
Instruction ID: 513c864fbd48db3ffdaee5d3d25c76a1c18fc802c6c2e2947b5bea8cd0c14ef5
Opcode Fuzzy Hash: d3c38111ef881a3099e0e8c7b45a58cd46f41db91b859377ca6bee7aecea5762
Instruction Fuzzy Hash: 8721BB326605118BD728CF79C82367E73E5A754310F15862EE4A7C37D1DE7AAD04CB84

Function 00666DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f0f091381353cb008fec1b346e71f247c6decc5bf8a4ae90bb1317535b4eec
Instruction ID: ff60b1ee2491632fa3c3a711706edea957f86731c8dbd0356c58fc34d9c48f0e
Opcode Fuzzy Hash: 29f0f091381353cb008fec1b346e71f247c6decc5bf8a4ae90bb1317535b4eec
Instruction Fuzzy Hash: F132F321D2AF424DD7239634D832335A78AAFB73D9F15D737E81AB5AA5EF29C4834100

Function 0064CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9184158a167693b14b0fce408746b38bd639920b2a78a4a1147bacd2b964b48
Instruction ID: 9536410e947d8483c57790e0602e42f95e70f96a0ad55680483bb0af024981a5
Opcode Fuzzy Hash: d9184158a167693b14b0fce408746b38bd639920b2a78a4a1147bacd2b964b48
Instruction Fuzzy Hash: 67320631A001158BDF28EF29C4D46FD7BA3EF45330F28866AD95A9B791D230DD82DB61

Function 00637920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16f89ca61b5708effe63a855455375bf444d1f003bf5990aba4b992e9d6b6317
Instruction ID: 0632a8bf3a6338f8261a7d38bf35dff989a460423af42d10d2612158f292ec2c
Opcode Fuzzy Hash: 16f89ca61b5708effe63a855455375bf444d1f003bf5990aba4b992e9d6b6317
Instruction Fuzzy Hash: E522A0B0A0460ADFDF14CF64C881AEEB7F7FF44300F248569E816A7291EB75A915CB94

Function 006391C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c03f152acb24bd6e7597ebc12e843aae5a74e2ef9594f0fee5f01b5602ecb699
Instruction ID: 9eae5ee2b6ba687e145a3fa6cea9e115b560b865d15c2880c9da329c2d132c45
Opcode Fuzzy Hash: c03f152acb24bd6e7597ebc12e843aae5a74e2ef9594f0fee5f01b5602ecb699
Instruction Fuzzy Hash: E002B7B1E00115EBDB05DF54D881AAEB7B6FF48300F1081A9E81A9B391EB71AA15CFD5

Function 00651C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b4b97d3ad94721a2d46c30eaaa554e2668f3c102477ed5889079a7ba43a7ea68
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: D49177725080A34ADB29463985356BDFFF25E533A3B1A079DDCF2CE2C1EE14895DD620

Function 006519B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: aebdf2603426cb55d6e97aa0f7bebe88cb11576f94e185e20afce4bcfc84ca92
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 059158726090A34ADB2E427A85741BDFFE25A933A3B1A079DD8F2CE2C1FD14C55DD620

Function 00657A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22f31321085f2d1d5f0504d7194d6183e1b27e4f5230b980a876a7271cee3434
Instruction ID: d5ef151b7162fdea43fe959d4643688ad026d66c4db2b009089b763414817906
Opcode Fuzzy Hash: 22f31321085f2d1d5f0504d7194d6183e1b27e4f5230b980a876a7271cee3434
Instruction Fuzzy Hash: 4061567160870A5BEA349E28BD95BFE239BDF51303F14091DEC42DB381DA11AE4EC319

Function 00657CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddeb0fa200a1d3638e60433a36ef8467ac530647c7f50d8998cb333256452201
Instruction ID: 503a420fa969d302496b2dc1bb487af6f8ffbc59b354f9838333583088260557
Opcode Fuzzy Hash: ddeb0fa200a1d3638e60433a36ef8467ac530647c7f50d8998cb333256452201
Instruction Fuzzy Hash: 05616C7120870956DF384A28B856BFE23A7DF41703F100B5DED83DB781EA129D4F8255

Function 00651706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 1e1664daae0e2f7a0e984136cd22b3668cfd9eac30c9896fc8cd902865f86fdc
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 5E8168725090A30ADB6D423D85345BEFFE35A933A3B1A079DD8F2CE2C1EE14995CD620

Function 0064D07D Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47a302dc2a14eff8bd4ab067704746d847afafeebdc3610a676d1bbcf591d726
Instruction ID: 309ed1e2638fe42e45edf1b1522a0eba305a25bbbccb1a16a01122b03251cc02
Opcode Fuzzy Hash: 47a302dc2a14eff8bd4ab067704746d847afafeebdc3610a676d1bbcf591d726
Instruction Fuzzy Hash: 4541D4D288EAD09FDB038B306C68968BFA0AD6755878E82DFD0854B097F351410DC766

Function 006B2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006B2B30
DeleteObject.GDI32(00000000), ref: 006B2B43
DestroyWindow.USER32 ref: 006B2B52
GetDesktopWindow.USER32 ref: 006B2B6D
GetWindowRect.USER32(00000000), ref: 006B2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 006B2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 006B2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006B2CF8
GetClientRect.USER32(00000000,?), ref: 006B2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006B2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006B2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006B2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006B2D80
GlobalLock.KERNEL32(00000000), ref: 006B2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006B2D98
GlobalUnlock.KERNEL32(00000000), ref: 006B2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006B2DA8
GlobalFree.KERNEL32(00000000), ref: 006B2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006B2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,006CFC38,00000000), ref: 006B2DDB
GlobalFree.KERNEL32(00000000), ref: 006B2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 006B2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 006B2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006B2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006B303F

Strings

, xrefs: 006B2FC5
DISPLAY, xrefs: 006B2EA2
AutoIt v3, xrefs: 006B2CF2
static, xrefs: 006B2D3A, 006B2E91

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: b78296d226f6c3f44f9d199e6a13ae676ef74f145ac2f728c7a86ec181c922b7
Instruction ID: 072c78e61c9f61140392b7be9d73a54ce29b526ec661cb75f7320987a0f940a2
Opcode Fuzzy Hash: b78296d226f6c3f44f9d199e6a13ae676ef74f145ac2f728c7a86ec181c922b7
Instruction Fuzzy Hash: 61027EB1900215EFDB14DF65CD89EAE7BBAEF48320F049158F919AB2A1CB749D41CB60

Function 006C70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006C712F
GetSysColorBrush.USER32(0000000F), ref: 006C7160
GetSysColor.USER32(0000000F), ref: 006C716C
SetBkColor.GDI32(?,000000FF), ref: 006C7186
SelectObject.GDI32(?,?), ref: 006C7195
InflateRect.USER32(?,000000FF,000000FF), ref: 006C71C0
GetSysColor.USER32(00000010), ref: 006C71C8
CreateSolidBrush.GDI32(00000000), ref: 006C71CF
FrameRect.USER32(?,?,00000000), ref: 006C71DE
DeleteObject.GDI32(00000000), ref: 006C71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 006C7230
FillRect.USER32(?,?,?), ref: 006C7262
GetWindowLongW.USER32(?,000000F0), ref: 006C7284

Part of subcall function 006C73E8: GetSysColor.USER32(00000012), ref: 006C7421
Part of subcall function 006C73E8: SetTextColor.GDI32(?,?), ref: 006C7425
Part of subcall function 006C73E8: GetSysColorBrush.USER32(0000000F), ref: 006C743B
Part of subcall function 006C73E8: GetSysColor.USER32(0000000F), ref: 006C7446
Part of subcall function 006C73E8: GetSysColor.USER32(00000011), ref: 006C7463
Part of subcall function 006C73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006C7471
Part of subcall function 006C73E8: SelectObject.GDI32(?,00000000), ref: 006C7482
Part of subcall function 006C73E8: SetBkColor.GDI32(?,00000000), ref: 006C748B
Part of subcall function 006C73E8: SelectObject.GDI32(?,?), ref: 006C7498
Part of subcall function 006C73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006C74B7
Part of subcall function 006C73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006C74CE
Part of subcall function 006C73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006C74DB

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: a7dc17683535118d9f587f52cd59ccd93c0c5a4d2c3bf9d0c81b475205b429da
Instruction ID: 94847ca6c16af5c8802ca6e6d012ec5cf95e40eaa5e47c1987609be2c829a90a
Opcode Fuzzy Hash: a7dc17683535118d9f587f52cd59ccd93c0c5a4d2c3bf9d0c81b475205b429da
Instruction Fuzzy Hash: FFA1AC72008301AFDB009F64DC48EBBBBAAFB89330F141A19F966961E1D735E945CF51

Function 00648D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00648E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00686AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00686AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00686F43

Part of subcall function 00648F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00648BE8,?,00000000,?,?,?,?,00648BBA,00000000,?), ref: 00648FC5

SendMessageW.USER32(?,00001053), ref: 00686F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00686F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00686FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00686FB7

Strings

0, xrefs: 00686DCF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ac1baf230503fe8b54d6a5d9ed16fd59e481de63f695eb109cd3a316c8971cd9
Instruction ID: 60aa024406804eaaa2d94049fb86f15fb410ebbf5dbaa1990e04ce6ce054ad59
Opcode Fuzzy Hash: ac1baf230503fe8b54d6a5d9ed16fd59e481de63f695eb109cd3a316c8971cd9
Instruction Fuzzy Hash: 6C12AC30604241DFDB25EF24C848BAABBE3FF44310F548669F5898B261CB31EC92DB95

Function 006B2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006B273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006B286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006B28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006B28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 006B2900
GetClientRect.USER32(00000000,?), ref: 006B290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 006B2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006B2964
GetStockObject.GDI32(00000011), ref: 006B2974
SelectObject.GDI32(00000000,00000000), ref: 006B2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 006B2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006B2991
DeleteDC.GDI32(00000000), ref: 006B299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006B29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 006B29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 006B2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006B2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 006B2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 006B2A77
GetStockObject.GDI32(00000011), ref: 006B2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006B2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 006B2A97

Strings

DISPLAY, xrefs: 006B295A
AutoIt v3, xrefs: 006B28F8
static, xrefs: 006B294F, 006B2A71
msctls_progress32, xrefs: 006B2A13

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 3fa79591d6e7c1870785f44b57ff155f3bc614b70c663806c1fd44ae286693ea
Instruction ID: cd33c111674f512812b25f6d9ede597549e532b447355c9461b80211c6652144
Opcode Fuzzy Hash: 3fa79591d6e7c1870785f44b57ff155f3bc614b70c663806c1fd44ae286693ea
Instruction Fuzzy Hash: 29B152B1A40215AFDB14DF65CC49FAEBBBAEB45720F008158F915E7290DB74ED40CB94

Function 006A4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006A4AED
GetDriveTypeW.KERNEL32(?,006CCB68,?,\\.\,006CCC08), ref: 006A4BCA
SetErrorMode.KERNEL32(00000000,006CCB68,?,\\.\,006CCC08), ref: 006A4D36

Strings

SSA, xrefs: 006A4CA6
Unknown, xrefs: 006A4BED, 006A4C83
PhysicalDrive, xrefs: 006A4B76
ATA, xrefs: 006A4C98
1394, xrefs: 006A4C9F
MMC, xrefs: 006A4CDE
Fixed, xrefs: 006A4C09
CDROM, xrefs: 006A4BFB
Virtual, xrefs: 006A4CE5
\\.\, xrefs: 006A4B3F
Fibre, xrefs: 006A4CAD
RAID, xrefs: 006A4CBB
ATAPI, xrefs: 006A4C91
Removable, xrefs: 006A4C10, 006A4C15
RAMDisk, xrefs: 006A4BF4
FileBackedVirtual, xrefs: 006A4CEC
Network, xrefs: 006A4C02
SAS, xrefs: 006A4CC9
USB, xrefs: 006A4CB4
SCSI, xrefs: 006A4C8A
SSD, xrefs: 006A4C4A
SATA, xrefs: 006A4CD0
iSCSI, xrefs: 006A4CC2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2a1f3b36929cf219975fbd88cde1a34f21fcd6809ed1af066ad2e96bcb424f3a
Instruction ID: a5bc703407b6871ce4e9e7dfb7b20bdeeaf84bfb07b1f1ac4eebb3a0e6f00544
Opcode Fuzzy Hash: 2a1f3b36929cf219975fbd88cde1a34f21fcd6809ed1af066ad2e96bcb424f3a
Instruction Fuzzy Hash: 5E61A3306062099BCB04FF28CD829B877B3AF86350B248419F90BAB651DFB5DD42DF55

Function 006C73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006C7421
SetTextColor.GDI32(?,?), ref: 006C7425
GetSysColorBrush.USER32(0000000F), ref: 006C743B
GetSysColor.USER32(0000000F), ref: 006C7446
CreateSolidBrush.GDI32(?), ref: 006C744B
GetSysColor.USER32(00000011), ref: 006C7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006C7471
SelectObject.GDI32(?,00000000), ref: 006C7482
SetBkColor.GDI32(?,00000000), ref: 006C748B
SelectObject.GDI32(?,?), ref: 006C7498
InflateRect.USER32(?,000000FF,000000FF), ref: 006C74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006C74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 006C74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006C752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006C7554
InflateRect.USER32(?,000000FD,000000FD), ref: 006C7572
DrawFocusRect.USER32(?,?), ref: 006C757D
GetSysColor.USER32(00000011), ref: 006C758E
SetTextColor.GDI32(?,00000000), ref: 006C7596
DrawTextW.USER32(?,006C70F5,000000FF,?,00000000), ref: 006C75A8
SelectObject.GDI32(?,?), ref: 006C75BF
DeleteObject.GDI32(?), ref: 006C75CA
SelectObject.GDI32(?,?), ref: 006C75D0
DeleteObject.GDI32(?), ref: 006C75D5
SetTextColor.GDI32(?,?), ref: 006C75DB
SetBkColor.GDI32(?,?), ref: 006C75E5

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 101ce19aef55031aa60008bccd3a7bc9ab82a76c25d14479c330d8a07df76fa1
Instruction ID: 0daaa593e55323864025f5ac7bdf8adec393b768d015a65e4d426331398b5f78
Opcode Fuzzy Hash: 101ce19aef55031aa60008bccd3a7bc9ab82a76c25d14479c330d8a07df76fa1
Instruction Fuzzy Hash: 20614B72900218AFDF019FA8DC49EEEBFBAEB09320F159115F915AB2A1D7759940CF90

Function 006C0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006C1128
GetDesktopWindow.USER32 ref: 006C113D
GetWindowRect.USER32(00000000), ref: 006C1144
GetWindowLongW.USER32(?,000000F0), ref: 006C1199
DestroyWindow.USER32(?), ref: 006C11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006C11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006C120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006C121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 006C1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 006C1245
IsWindowVisible.USER32(00000000), ref: 006C12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006C12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006C12D0
GetWindowRect.USER32(00000000,?), ref: 006C12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 006C130E
GetMonitorInfoW.USER32(00000000,?), ref: 006C1328
CopyRect.USER32(?,?), ref: 006C133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 006C13AA

Strings

tooltips_class32, xrefs: 006C11E6
(, xrefs: 006C131B
0, xrefs: 006C10D3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 7251c9ccc3f3d383324733f4987d9067c64962360cc084df3101cfb9df13bb4d
Instruction ID: d000ed32ffbc9b60ef1cc1a30e66aa6f3345c697d931e119dae2901bde53f4a1
Opcode Fuzzy Hash: 7251c9ccc3f3d383324733f4987d9067c64962360cc084df3101cfb9df13bb4d
Instruction Fuzzy Hash: 0CB1AC71604340AFD740DF64C884FAABBE6FF86314F00891DF9999B262CB71E845CBA5

Function 006C0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006C02E5
_wcslen.LIBCMT ref: 006C031F
_wcslen.LIBCMT ref: 006C0389
_wcslen.LIBCMT ref: 006C03F1
_wcslen.LIBCMT ref: 006C0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006C04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006C0504

Part of subcall function 0064F9F2: _wcslen.LIBCMT ref: 0064F9FD

Part of subcall function 0069223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00692258
Part of subcall function 0069223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0069228A

Strings

GETSELECTED, xrefs: 006C05E1
SELECT, xrefs: 006C0548
SELECTCLEAR, xrefs: 006C052D
GETTEXT, xrefs: 006C03EC, 006C0407
SELECTALL, xrefs: 006C0515
GETSELECTEDCOUNT, xrefs: 006C0470, 006C048B
GETSUBITEMCOUNT, xrefs: 006C0384, 006C039F
GETITEMCOUNT, xrefs: 006C0316, 006C0337
VIEWCHANGE, xrefs: 006C0675
ISSELECTED, xrefs: 006C04DD
SELECTINVERT, xrefs: 006C057E
DESELECT, xrefs: 006C059C
FINDITEM, xrefs: 006C0627

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: b01fe73d5f879ada216a6249c116ab1234b8c26aaae940c2a1beff3af4a14a46
Instruction ID: e0d7ea2d5901fdbe98b1b102f209c2686d415553cf5e8ce0899b213dec01fbf6
Opcode Fuzzy Hash: b01fe73d5f879ada216a6249c116ab1234b8c26aaae940c2a1beff3af4a14a46
Instruction Fuzzy Hash: 3BE17831208201DB9B58DF24C551A7AB7E7FF88314F14895DF896AB3A1DB30ED468B91

Function 00648891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00648968
GetSystemMetrics.USER32(00000007), ref: 00648970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0064899B
GetSystemMetrics.USER32(00000008), ref: 006489A3
GetSystemMetrics.USER32(00000004), ref: 006489C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 006489E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 006489F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00648A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00648A3C
GetClientRect.USER32(00000000,000000FF), ref: 00648A5A
GetStockObject.GDI32(00000011), ref: 00648A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00648A81

Part of subcall function 0064912D: GetCursorPos.USER32(?), ref: 00649141
Part of subcall function 0064912D: ScreenToClient.USER32(00000000,?), ref: 0064915E
Part of subcall function 0064912D: GetAsyncKeyState.USER32(00000001), ref: 00649183
Part of subcall function 0064912D: GetAsyncKeyState.USER32(00000002), ref: 0064919D

SetTimer.USER32(00000000,00000000,00000028,006490FC), ref: 00648AA8

Strings

AutoIt v3 GUI, xrefs: 00648A20

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0ba1e609f84875a2ccfa333b462a94893b47d9ee265e21c640ce2e9396ed0561
Instruction ID: 0ccbb8eb4209de8f3aadc42f9254ee32abc62a0ea177f5ccb6e8d747d8939be2
Opcode Fuzzy Hash: 0ba1e609f84875a2ccfa333b462a94893b47d9ee265e21c640ce2e9396ed0561
Instruction Fuzzy Hash: 5BB16B71A00209DFDB14DFA8CD45FEE3BB6FB48324F108229FA19A7290DB74A941CB55

Function 00690D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006910F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00691114
Part of subcall function 006910F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00690B9B,?,?,?), ref: 00691120
Part of subcall function 006910F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00690B9B,?,?,?), ref: 0069112F
Part of subcall function 006910F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00690B9B,?,?,?), ref: 00691136
Part of subcall function 006910F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0069114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00690DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00690E29
GetLengthSid.ADVAPI32(?), ref: 00690E40
GetAce.ADVAPI32(?,00000000,?), ref: 00690E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00690E96
GetLengthSid.ADVAPI32(?), ref: 00690EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00690EB5
HeapAlloc.KERNEL32(00000000), ref: 00690EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00690EDD
CopySid.ADVAPI32(00000000), ref: 00690EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00690F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00690F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00690F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00690F6E
HeapFree.KERNEL32(00000000), ref: 00690F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00690F7E
HeapFree.KERNEL32(00000000), ref: 00690F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00690F8E
HeapFree.KERNEL32(00000000), ref: 00690F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00690FA1
HeapFree.KERNEL32(00000000), ref: 00690FA8

Part of subcall function 00691193: GetProcessHeap.KERNEL32(00000008,00690BB1,?,00000000,?,00690BB1,?), ref: 006911A1
Part of subcall function 00691193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00690BB1,?), ref: 006911A8
Part of subcall function 00691193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00690BB1,?), ref: 006911B7

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1c476121ca81685487db297c0fdf98e3328de7e1ffde7b738871231ae00fa648
Instruction ID: e18d6cd515e11991adf6b767f200ad6a1950239baea1ddfab19d0fd75e9d1ce2
Opcode Fuzzy Hash: 1c476121ca81685487db297c0fdf98e3328de7e1ffde7b738871231ae00fa648
Instruction Fuzzy Hash: F171277290020AAFEF209FA5DC48FFEBBBEEF05310F148115E919E6691D7719A05CB60

Function 006BC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006BC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,006CCC08,00000000,?,00000000,?,?), ref: 006BC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 006BC5A4
_wcslen.LIBCMT ref: 006BC5F4
_wcslen.LIBCMT ref: 006BC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 006BC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 006BC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 006BC84D
RegCloseKey.ADVAPI32(?), ref: 006BC881
RegCloseKey.ADVAPI32(00000000), ref: 006BC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 006BC960

Strings

REG_EXPAND_SZ, xrefs: 006BC5CD
REG_QWORD, xrefs: 006BC8C3
REG_DWORD, xrefs: 006BC804
REG_MULTI_SZ, xrefs: 006BC6F5
REG_BINARY, xrefs: 006BC913
REG_SZ, xrefs: 006BC644

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: e225fa382beeb370063502ba791c9c5f129f4e49e4a7657b645a6f268c5d44cf
Instruction ID: 88464279d6a9e9eb1f46fc370adf4cbe2a17461566f741f5c148e96f598025c9
Opcode Fuzzy Hash: e225fa382beeb370063502ba791c9c5f129f4e49e4a7657b645a6f268c5d44cf
Instruction Fuzzy Hash: 66126B756042019FDB54DF14C881E6AB7E6FF88724F04889DF89A9B3A2DB31ED41CB85

Function 006C091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006C09C6
_wcslen.LIBCMT ref: 006C0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006C0A54
_wcslen.LIBCMT ref: 006C0A8A
_wcslen.LIBCMT ref: 006C0B06
_wcslen.LIBCMT ref: 006C0B81

Part of subcall function 0064F9F2: _wcslen.LIBCMT ref: 0064F9FD

Part of subcall function 00692BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00692BFA

Strings

GETSELECTED, xrefs: 006C0C4E
EXPAND, xrefs: 006C0BF8
SELECT, xrefs: 006C0D11
EXISTS, xrefs: 006C0B7C, 006C0B97
GETTOTALCOUNT, xrefs: 006C09F2, 006C0A17
GETTEXT, xrefs: 006C0C97
UNCHECK, xrefs: 006C0D3E
CHECK, xrefs: 006C0A85, 006C0AA0
GETITEMCOUNT, xrefs: 006C0C1E
ISCHECKED, xrefs: 006C0CE1
COLLAPSE, xrefs: 006C0B01, 006C0B1C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: ba1e42055c14a13a465adf210195d8c92629b55819f28b20793c3e39842524f0
Instruction ID: fa8fd9e00d2eb3be63764b35febbc94fd365d88d2a2a7450c5a18716cf40fef9
Opcode Fuzzy Hash: ba1e42055c14a13a465adf210195d8c92629b55819f28b20793c3e39842524f0
Instruction Fuzzy Hash: 9CE15535208201DBCB54DF24C450A6AB7E3FF98314F15895DF8969B3A2DB31ED46CB85

Function 006BC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006BB6AE,?,?), ref: 006BC9B5
_wcslen.LIBCMT ref: 006BC9F1
_wcslen.LIBCMT ref: 006BCA68
_wcslen.LIBCMT ref: 006BCA9E
_wcslen.LIBCMT ref: 006BCAF9
_wcslen.LIBCMT ref: 006BCB2F
_wcslen.LIBCMT ref: 006BCB7F

Strings

HKCU, xrefs: 006BCBCE
HKEY_CURRENT_CONFIG, xrefs: 006BCB79, 006BCB7E
HKEY_CLASSES_ROOT, xrefs: 006BCAF3, 006BCAF8
HKCC, xrefs: 006BCBAC
HKEY_LOCAL_MACHINE, xrefs: 006BCA62, 006BCA67
HKU, xrefs: 006BCBF0
HKEY_USERS, xrefs: 006BCBDF
HKLM, xrefs: 006BCA98, 006BCA9D
HKCR, xrefs: 006BCB29, 006BCB2E
HKEY_CURRENT_USER, xrefs: 006BCBBD

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 2ccebcf75011a407e1950e5f62b0835b121fcd4b0bca6f2e45379d3fc8ada9e7
Instruction ID: d320f436f4bcb19a461b2d7dfc7f77ef98a0f4de0fa4d3a802efc3c3c4d9a729
Opcode Fuzzy Hash: 2ccebcf75011a407e1950e5f62b0835b121fcd4b0bca6f2e45379d3fc8ada9e7
Instruction Fuzzy Hash: 9871C3B261012A8BCB20DE6CC9515FE3793AB61774F250528FC56AB385EA31DFC583A4

Function 006C833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006C835A
_wcslen.LIBCMT ref: 006C836E
_wcslen.LIBCMT ref: 006C8391
_wcslen.LIBCMT ref: 006C83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006C83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006C5BF2), ref: 006C844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006C8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006C84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006C8501
FreeLibrary.KERNEL32(?), ref: 006C850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006C851D
DestroyIcon.USER32(?,?,?,?,?,006C5BF2), ref: 006C852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006C8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006C8555

Strings

.icl, xrefs: 006C8368
.dll, xrefs: 006C83AB
.exe, xrefs: 006C8388

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: b3808d68892904ea01d83c2d21cc04534e51f1b363614dc73e2d78706573451a
Instruction ID: 5c23af33e3eab1e9efa0e2354ad0861822aaae9e6572be857d58878a0a9be858
Opcode Fuzzy Hash: b3808d68892904ea01d83c2d21cc04534e51f1b363614dc73e2d78706573451a
Instruction Fuzzy Hash: ED61BC71500219BEEB289F64CC45FFE77AAEB04721F10864AF915D71D1DFB4AA90CBA0

Function 00637778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Cannot parse #include, xrefs: 00675279
#notrayicon, xrefs: 006377E7
#comments-end, xrefs: 006378D9
Unterminated group of comments, xrefs: 0067528C
#include, xrefs: 00637847
#include-once, xrefs: 0063782F
#ce, xrefs: 006378ED
", xrefs: 00675153
#OnAutoItStartRegister, xrefs: 00637817
Bad directive syntax error, xrefs: 0067519A
#pragma compile, xrefs: 006377D3
#comments-start, xrefs: 0063785F, 006378B1
#cs, xrefs: 00637873, 006378C5
#requireadmin, xrefs: 006377FF
', xrefs: 00675169

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 446df7f40240a7c4d7b5a8f712fa780da179c804e3aac45af9013fa50af56108
Instruction ID: 75da97747682134ae087677b5eaa0773b69a4e7d0930020b3a0c0b95173bdc06
Opcode Fuzzy Hash: 446df7f40240a7c4d7b5a8f712fa780da179c804e3aac45af9013fa50af56108
Instruction Fuzzy Hash: 8381B8B1604605BBDB60AF60DC42FEE77BBAF15301F054068F909AB292EBB0D915C7E5

Function 006A3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 006A3EF8
_wcslen.LIBCMT ref: 006A3F03
_wcslen.LIBCMT ref: 006A3F5A
_wcslen.LIBCMT ref: 006A3F98
GetDriveTypeW.KERNEL32(?), ref: 006A3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006A401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006A4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006A4087

Strings

closed, xrefs: 006A3F08, 006A3F2D, 006A3F46, 006A3F7E, 006A3F97
wait, xrefs: 006A4044
set cd door , xrefs: 006A4028
close, xrefs: 006A3EFE, 006A3F18
close cd wait, xrefs: 006A4072
open, xrefs: 006A3F54, 006A3F59
open , xrefs: 006A3FE5
type cdaudio alias cd wait, xrefs: 006A4001

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: db322e29b9467e3eedbe6e946a57809df8ec4433630b7cf7094b8e4c4a10da84
Instruction ID: 39f05cc0250af23b6eb2023565d86836caa85a6b7b90a559ecb8588cf5729568
Opcode Fuzzy Hash: db322e29b9467e3eedbe6e946a57809df8ec4433630b7cf7094b8e4c4a10da84
Instruction Fuzzy Hash: 8271E0726042119FC310EF24C8818AAB7F6EF95768F10892DF99697351EB30EE45CF91

Function 00695A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00695A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00695A40
SetWindowTextW.USER32(?,?), ref: 00695A57
GetDlgItem.USER32(?,000003EA), ref: 00695A6C
SetWindowTextW.USER32(00000000,?), ref: 00695A72
GetDlgItem.USER32(?,000003E9), ref: 00695A82
SetWindowTextW.USER32(00000000,?), ref: 00695A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00695AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00695AC3
GetWindowRect.USER32(?,?), ref: 00695ACC
_wcslen.LIBCMT ref: 00695B33
SetWindowTextW.USER32(?,?), ref: 00695B6F
GetDesktopWindow.USER32 ref: 00695B75
GetWindowRect.USER32(00000000), ref: 00695B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00695BD3
GetClientRect.USER32(?,?), ref: 00695BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00695C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00695C2F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 642fe5b32b93e281451be319ffc161dc19950f8f9d3baf59ad2d8fdb67eae76c
Instruction ID: 2eb29417fe51611f9244761856da7161a53c49deb932e3feb44c9fc558acbb9a
Opcode Fuzzy Hash: 642fe5b32b93e281451be319ffc161dc19950f8f9d3baf59ad2d8fdb67eae76c
Instruction Fuzzy Hash: F1718F31900B059FDF21DFA9CE95EAEBBFAFF48714F104518E547A2AA0D775A940CB10

Function 006AFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 006AFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 006AFE32
LoadCursorW.USER32(00000000,00007F00), ref: 006AFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 006AFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 006AFE53
LoadCursorW.USER32(00000000,00007F01), ref: 006AFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 006AFE69
LoadCursorW.USER32(00000000,00007F88), ref: 006AFE74
LoadCursorW.USER32(00000000,00007F80), ref: 006AFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 006AFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 006AFE95
LoadCursorW.USER32(00000000,00007F85), ref: 006AFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 006AFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 006AFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 006AFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 006AFECC
GetCursorInfo.USER32(?), ref: 006AFEDC
GetLastError.KERNEL32 ref: 006AFF1E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 7b80ccde24ac3fcb75dd839fd4c5b8c84cf023b008f77f7249f44739f96bad84
Instruction ID: 34f65eafa03be8508b337116c5d8a2725edd577ff215a328977cedff3c186e82
Opcode Fuzzy Hash: 7b80ccde24ac3fcb75dd839fd4c5b8c84cf023b008f77f7249f44739f96bad84
Instruction Fuzzy Hash: B94151B0D043196EDB109FBA8C89C6EBFE9FF05364B50452AF11DE7281DB78A9018F91

Function 006930F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0069318D
_wcslen.LIBCMT ref: 006931F8

Strings

INSTANCE, xrefs: 00693453
[o, xrefs: 0069339A
NAME, xrefs: 00693335, 00693346
CLASSNN, xrefs: 006931F3, 00693204
TEXT, xrefs: 0069347C
REGEXPCLASS, xrefs: 00693255, 00693266
CLASS, xrefs: 00693188, 006931A5

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[o
API String ID: 176396367-1026763703
Opcode ID: 344194cb0d9dccbdb69b5814ea6fe6eb82534bcafc038ff787199e9d0b06880b
Instruction ID: 3fe491a939d8a75e103ab7588193c444ef2df525510a2f8e683ea0f41c846498
Opcode Fuzzy Hash: 344194cb0d9dccbdb69b5814ea6fe6eb82534bcafc038ff787199e9d0b06880b
Instruction Fuzzy Hash: EBE10232A00526ABCF189FA8C4516FEBBBBBF04710F558129E556A7740DB30AF859790

Function 006500C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 006500C6

Part of subcall function 006500ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0070070C,00000FA0,683680D9,?,?,?,?,006723B3,000000FF), ref: 0065011C
Part of subcall function 006500ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,006723B3,000000FF), ref: 00650127
Part of subcall function 006500ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,006723B3,000000FF), ref: 00650138
Part of subcall function 006500ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0065014E
Part of subcall function 006500ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0065015C
Part of subcall function 006500ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0065016A
Part of subcall function 006500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00650195
Part of subcall function 006500ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006501A0

___scrt_fastfail.LIBCMT ref: 006500E7

Part of subcall function 006500A3: __onexit.LIBCMT ref: 006500A9

Strings

WakeAllConditionVariable, xrefs: 00650162
InitializeConditionVariable, xrefs: 00650148
SleepConditionVariableCS, xrefs: 00650154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00650122
kernel32.dll, xrefs: 00650133

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 0e7b0244a16b7e9dd9766b00a79b715a562c87743f9e9d361a3ac0050c664a80
Instruction ID: c358c1890f99fcd585cee413e1f157d13d6217e3ef6434c5ea5d8292df7c9c2b
Opcode Fuzzy Hash: 0e7b0244a16b7e9dd9766b00a79b715a562c87743f9e9d361a3ac0050c664a80
Instruction Fuzzy Hash: 86210732640B01ABFB205BA4AC05F7A3797EF44B72F15012DFC05927D1DF68D8048A95

Function 006A44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,006CCC08), ref: 006A4527
_wcslen.LIBCMT ref: 006A453B
_wcslen.LIBCMT ref: 006A4599
_wcslen.LIBCMT ref: 006A45F4
_wcslen.LIBCMT ref: 006A463F
_wcslen.LIBCMT ref: 006A46A7

Part of subcall function 0064F9F2: _wcslen.LIBCMT ref: 0064F9FD

GetDriveTypeW.KERNEL32(?,006F6BF0,00000061), ref: 006A4743

Strings

ramdisk, xrefs: 006A46F1
all, xrefs: 006A4531, 006A4536
unknown, xrefs: 006A4708
removable, xrefs: 006A45EA, 006A45EF
cdrom, xrefs: 006A458F, 006A4594
network, xrefs: 006A469D, 006A46A2
fixed, xrefs: 006A4635, 006A463A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 1e6d1ae7b67d587856c2abcfef92484e3c4f90bea7c2afa35ed02ad3c2cf18f0
Instruction ID: e239cd2bd8e6e8da7971b1330c796af71a2f4c8f9aa3f87565acf65311f612a4
Opcode Fuzzy Hash: 1e6d1ae7b67d587856c2abcfef92484e3c4f90bea7c2afa35ed02ad3c2cf18f0
Instruction Fuzzy Hash: 7AB1C1716083029BC710EF28C891AAAB7E7AFE6764F50491DF496C7391DBB0DC45CA92

Function 006C911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00649BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00649BB2

DragQueryPoint.SHELL32(?,?), ref: 006C9147

Part of subcall function 006C7674: ClientToScreen.USER32(?,?), ref: 006C769A
Part of subcall function 006C7674: GetWindowRect.USER32(?,?), ref: 006C7710
Part of subcall function 006C7674: PtInRect.USER32(?,?,006C8B89), ref: 006C7720

SendMessageW.USER32(?,000000B0,?,?), ref: 006C91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006C91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006C91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006C9225
SendMessageW.USER32(?,000000B0,?,?), ref: 006C923E
SendMessageW.USER32(?,000000B1,?,?), ref: 006C9255
SendMessageW.USER32(?,000000B1,?,?), ref: 006C9277
DragFinish.SHELL32(?), ref: 006C927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006C9371

Strings

@GUI_DRAGFILE, xrefs: 006C9320
p#p, xrefs: 006C92BB
@GUI_DRAGID, xrefs: 006C92E9
@GUI_DROPID, xrefs: 006C929E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#p
API String ID: 221274066-541875553
Opcode ID: 814bef0fe95e04d58b06fa2ccee935730e5e8e3ae7a61516ca7be73ccb0d8c97
Instruction ID: e7f44859ca9893cbafc3d6d408e21c459bbd784d6c894199cadb07e84a41049f
Opcode Fuzzy Hash: 814bef0fe95e04d58b06fa2ccee935730e5e8e3ae7a61516ca7be73ccb0d8c97
Instruction Fuzzy Hash: 29618E71108301AFC701DF50DC85EAFBBEAEFC8750F40492DF595921A0DB709A49CBA6

Function 0063326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00701990), ref: 00672F8D
GetMenuItemCount.USER32(00701990), ref: 0067303D
GetCursorPos.USER32(?), ref: 00673081
SetForegroundWindow.USER32(00000000), ref: 0067308A
TrackPopupMenuEx.USER32(00701990,00000000,?,00000000,00000000,00000000), ref: 0067309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006730A9

Strings

0, xrefs: 0063327D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 9f48762f6cd7652caa1a7c171311cdb1e3ebb7d36264710eb561b405f3d2afd2
Instruction ID: 8f40d9c732cf8329e0aef3e86302725dd73b4f74a47c23eb3be46c95c24257e3
Opcode Fuzzy Hash: 9f48762f6cd7652caa1a7c171311cdb1e3ebb7d36264710eb561b405f3d2afd2
Instruction Fuzzy Hash: 18712A70644216BFEB218F24CD59FEABF66FF04324F208216F518AA3E0C7B1A950D790

Function 006C6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 006C6DEB

Part of subcall function 00636B57: _wcslen.LIBCMT ref: 00636B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006C6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006C6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006C6E94
DestroyWindow.USER32(?), ref: 006C6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00630000,00000000), ref: 006C6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006C6EFD
GetDesktopWindow.USER32 ref: 006C6F16
GetWindowRect.USER32(00000000), ref: 006C6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006C6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006C6F4D

Part of subcall function 00649944: GetWindowLongW.USER32(?,000000EB), ref: 00649952

Strings

0, xrefs: 006C6D98
tooltips_class32, xrefs: 006C6E58, 006C6EDD

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: a019ee3ffcd3a071c815cb7cd0fd3b9fc6ade49418a86c4e869b4854a7083dfd
Instruction ID: 2c8dcc407dfc5a8c097cd936d9129369d58b17cbe2d887690aea5a0b98960e0a
Opcode Fuzzy Hash: a019ee3ffcd3a071c815cb7cd0fd3b9fc6ade49418a86c4e869b4854a7083dfd
Instruction Fuzzy Hash: B2714674104244AFDB21CF18D858FBABBEAFF89314F44851EF99987361CB70A906DB19

Function 006AC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006AC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006AC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006AC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 006AC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 006AC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 006AC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006AC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006AC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 006AC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 006AC5F0
InternetCloseHandle.WININET(00000000), ref: 006AC5FB

Strings

, xrefs: 006AC575

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 62247340588faa5c2c80cca097b83b4c43898063e550959d81316d82886391d5
Instruction ID: 31568718a1708eb32981785c5de4adbe8e01eebcae0b6b0a67925f3c98c92a2a
Opcode Fuzzy Hash: 62247340588faa5c2c80cca097b83b4c43898063e550959d81316d82886391d5
Instruction Fuzzy Hash: EC514AB0500204AFDB21AF64C948ABA7BFEEF09764F005419F94996610DB34EE549F60

Function 006C856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 006C8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006C85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006C85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006C85BA
GlobalLock.KERNEL32(00000000), ref: 006C85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006C85D7
GlobalUnlock.KERNEL32(00000000), ref: 006C85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006C85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006C85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,006CFC38,?), ref: 006C8611
GlobalFree.KERNEL32(00000000), ref: 006C8621
GetObjectW.GDI32(?,00000018,?), ref: 006C8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 006C8671
DeleteObject.GDI32(?), ref: 006C8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006C86AF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 36d4cda5d022ba9309f52be3a3ef3b2df16f51509b7d14b9f8fd8a277c510208
Instruction ID: bb05d47322be1a6bfca8db18cc5833c4461e67b19c1ceacfdf98225f45550620
Opcode Fuzzy Hash: 36d4cda5d022ba9309f52be3a3ef3b2df16f51509b7d14b9f8fd8a277c510208
Instruction Fuzzy Hash: 5B410A75600204AFDB219FA5DC48EBA7BBAFF89721F148059F909E7260DB749E01DB60

Function 006A14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 006A1502
VariantCopy.OLEAUT32(?,?), ref: 006A150B
VariantClear.OLEAUT32(?), ref: 006A1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 006A15FB
VarR8FromDec.OLEAUT32(?,?), ref: 006A1657
VariantInit.OLEAUT32(?), ref: 006A1708
SysFreeString.OLEAUT32(?), ref: 006A178C
VariantClear.OLEAUT32(?), ref: 006A17D8
VariantClear.OLEAUT32(?), ref: 006A17E7
VariantInit.OLEAUT32(00000000), ref: 006A1823

Strings

Default, xrefs: 006A16AF
%4d%02d%02d%02d%02d%02d, xrefs: 006A1625

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: fc400df4953127c7ad10351f88174de12b2e347bca2ede5193b88460a7a64f75
Instruction ID: df7e1e8b5d3cf3160cf1fffcfe45a2d9ebc773671c94c4b30b9e61af9843cfff
Opcode Fuzzy Hash: fc400df4953127c7ad10351f88174de12b2e347bca2ede5193b88460a7a64f75
Instruction Fuzzy Hash: 84D1CCB1A00515EBDB44AFA5D895BB9B7B7BF47700F14805AE446AF280DB30EC42DFA1

Function 006BB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Part of subcall function 006BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006BB6AE,?,?), ref: 006BC9B5
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BC9F1
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BCA68
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006BB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006BB772
RegDeleteValueW.ADVAPI32(?,?), ref: 006BB80A
RegCloseKey.ADVAPI32(?), ref: 006BB87E
RegCloseKey.ADVAPI32(?), ref: 006BB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 006BB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006BB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 006BB922
FreeLibrary.KERNEL32(00000000), ref: 006BB983
RegCloseKey.ADVAPI32(00000000), ref: 006BB994

Strings

advapi32.dll, xrefs: 006BB8ED
RegDeleteKeyExW, xrefs: 006BB8FE

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: cb3893f3b9182ffa08825f06e49cc39e323eee172064e6129c04c2bc4a396402
Instruction ID: bd4b05e145e6b911c8220daf9ccb658f68da90c93f753e7a2184a6ce1cf8136b
Opcode Fuzzy Hash: cb3893f3b9182ffa08825f06e49cc39e323eee172064e6129c04c2bc4a396402
Instruction Fuzzy Hash: 6EC17C74208201AFD714DF14C494FAABBE6BF85318F14945CF59A4B3A2CBB1ED86CB91

Function 006B255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006B25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006B25E8
CreateCompatibleDC.GDI32(?), ref: 006B25F4
SelectObject.GDI32(00000000,?), ref: 006B2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 006B266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006B26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006B26D0
SelectObject.GDI32(?,?), ref: 006B26D8
DeleteObject.GDI32(?), ref: 006B26E1
DeleteDC.GDI32(?), ref: 006B26E8
ReleaseDC.USER32(00000000,?), ref: 006B26F3

Strings

(, xrefs: 006B268D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 64cc7c903daab1a7a9bb2194c8134f80da99d1c98409843bd8f7b5856f8eb533
Instruction ID: 3bef74a698c8b934827c38c3e738b321145c014a08d631a22de71ef5a084e45c
Opcode Fuzzy Hash: 64cc7c903daab1a7a9bb2194c8134f80da99d1c98409843bd8f7b5856f8eb533
Instruction Fuzzy Hash: 9161F2B5D00219EFCB14CFA8D884EAEBBF6FF48310F248529E959A7250E771A9418F54

Function 0066DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0066DAA1

Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D659
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D66B
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D67D
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D68F
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D6A1
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D6B3
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D6C5
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D6D7
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D6E9
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D6FB
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D70D
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D71F
Part of subcall function 0066D63C: _free.LIBCMT ref: 0066D731

_free.LIBCMT ref: 0066DA96

Part of subcall function 006629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000), ref: 006629DE
Part of subcall function 006629C8: GetLastError.KERNEL32(00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000,00000000), ref: 006629F0

_free.LIBCMT ref: 0066DAB8
_free.LIBCMT ref: 0066DACD
_free.LIBCMT ref: 0066DAD8
_free.LIBCMT ref: 0066DAFA
_free.LIBCMT ref: 0066DB0D
_free.LIBCMT ref: 0066DB1B
_free.LIBCMT ref: 0066DB26
_free.LIBCMT ref: 0066DB5E
_free.LIBCMT ref: 0066DB65
_free.LIBCMT ref: 0066DB82
_free.LIBCMT ref: 0066DB9A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d9907b8921a2732e00fd9b21c840780b2da0a9463b97fd62991146e4997267e2
Instruction ID: 9f290052744467c8932935aba0961844ffa41e7bd14a199e5f850842cdb5199f
Opcode Fuzzy Hash: d9907b8921a2732e00fd9b21c840780b2da0a9463b97fd62991146e4997267e2
Instruction Fuzzy Hash: 0F318B71B047069FEB65AA7AE841BAA77EBFF40750F15451DE448D7291DF30AC40C724

Function 0069365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0069369C
_wcslen.LIBCMT ref: 006936A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00693797
GetClassNameW.USER32(?,?,00000400), ref: 0069380C
GetDlgCtrlID.USER32(?), ref: 0069385D
GetWindowRect.USER32(?,?), ref: 00693882
GetParent.USER32(?), ref: 006938A0
ScreenToClient.USER32(00000000), ref: 006938A7
GetClassNameW.USER32(?,?,00000100), ref: 00693921
GetWindowTextW.USER32(?,?,00000400), ref: 0069395D

Strings

%s%u, xrefs: 00693734

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e7202c45e4fd4a318f45449319283040f4e1fa5088b18b59d89f5b6821e8314b
Instruction ID: af7dbc37ac92ce9c88e55bf610b8bc81c551643c84c06a1df0f1a8f69e361ec6
Opcode Fuzzy Hash: e7202c45e4fd4a318f45449319283040f4e1fa5088b18b59d89f5b6821e8314b
Instruction Fuzzy Hash: E991C271204616AFDB18DF64C885FEAB7AEFF44350F004519F99AC6790EB30EA45CB91

Function 00694954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00694994
GetWindowTextW.USER32(?,?,00000400), ref: 006949DA
_wcslen.LIBCMT ref: 006949EB
CharUpperBuffW.USER32(?,00000000), ref: 006949F7
_wcsstr.LIBVCRUNTIME ref: 00694A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00694A64
GetWindowTextW.USER32(?,?,00000400), ref: 00694A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00694AE6
GetClassNameW.USER32(?,?,00000400), ref: 00694B20
GetWindowRect.USER32(?,?), ref: 00694B8B

Strings

ThumbnailClass, xrefs: 00694A6F, 00694AF1

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: fbf23186520ac864e3f082e15e02003c51cfb119ab3cfede1abec1824d1eec72
Instruction ID: dfb48ef4093b8ffa059bb40225feb50dae36863d1bd420e7afca50f24386e1eb
Opcode Fuzzy Hash: fbf23186520ac864e3f082e15e02003c51cfb119ab3cfede1abec1824d1eec72
Instruction Fuzzy Hash: 4A917A711082059FDF04DF14C985FAA77EEEF84314F04846AED899A69ADF30ED46CBA1

Function 006C8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00649BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00649BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006C8D5A
GetFocus.USER32 ref: 006C8D6A
GetDlgCtrlID.USER32(00000000), ref: 006C8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 006C8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006C8ECF
GetMenuItemCount.USER32(?), ref: 006C8EEC
GetMenuItemID.USER32(?,00000000), ref: 006C8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006C8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006C8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006C8FA1

Strings

0, xrefs: 006C8E9F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 36bc91512bbf62cdeac6933365f67537d68fab3cce5eefbdada49714c9e53990
Instruction ID: 0e2e23f9f221e7bd6545e86f7ab571dc0f85b0591fdf4e7507d232d924a469e8
Opcode Fuzzy Hash: 36bc91512bbf62cdeac6933365f67537d68fab3cce5eefbdada49714c9e53990
Instruction Fuzzy Hash: 82817B71508301AFD720CF24D884EBB7BEAFB89364F140A5DF99997291DB74E901CBA1

Function 0069DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0069DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0069DC46
_wcslen.LIBCMT ref: 0069DC50
_wcsstr.LIBVCRUNTIME ref: 0069DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0069DCBC

Strings

04090000, xrefs: 0069DCF2
StringFileInfo\, xrefs: 0069DC8F
DefaultLangCodepage, xrefs: 0069DD1F
\VarFileInfo\Translation, xrefs: 0069DCB4
%u.%u.%u.%u, xrefs: 0069DD9A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: c6ca12877fe7a6d559c1c6847f0fafc9c8cb11bfe6394b7aa202d2eb3007f93a
Instruction ID: 3a67dbc862bc61229d42264b6d980ac7fd67790b1e6eeb384ee8a327312bf279
Opcode Fuzzy Hash: c6ca12877fe7a6d559c1c6847f0fafc9c8cb11bfe6394b7aa202d2eb3007f93a
Instruction Fuzzy Hash: 01412432940205BADB54AB74DC07EFF776EEF42761F10006EF905E6182EB749A0597B8

Function 006BCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006BCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 006BCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006BCD48

Part of subcall function 006BCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 006BCCAA
Part of subcall function 006BCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 006BCCBD
Part of subcall function 006BCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006BCCCF
Part of subcall function 006BCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006BCD05
Part of subcall function 006BCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006BCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 006BCCF3

Strings

advapi32.dll, xrefs: 006BCCB8
RegDeleteKeyExW, xrefs: 006BCCC9

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: e7f686b2ae433e5214b602763dbe537274fc3fe9e2fa44120e989045d205a84d
Instruction ID: 4b388a936ceba7eb3b263a772b2fa982fc372ecefd191f5314bd4a56606f3db3
Opcode Fuzzy Hash: e7f686b2ae433e5214b602763dbe537274fc3fe9e2fa44120e989045d205a84d
Instruction Fuzzy Hash: 983160B5A01129BBD7208B55DC88EFFBB7EEF55764F000165E909E2240D7349B85DBA0

Function 006A3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006A3D40
_wcslen.LIBCMT ref: 006A3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 006A3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006A3DBE
RemoveDirectoryW.KERNEL32(?), ref: 006A3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006A3E55
CloseHandle.KERNEL32(00000000), ref: 006A3E60
CloseHandle.KERNEL32(00000000), ref: 006A3E6B

Strings

\, xrefs: 006A3D77
:, xrefs: 006A3D82
\??\%s, xrefs: 006A3D5B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 56865e80c5f88c91e82eebc1906b49dcd2679fd10f3f32aab8375f0dbf905c92
Instruction ID: 30930cd08b0803182375091c44baa84980c49b341f6468dcb3c6bff883c2ac3d
Opcode Fuzzy Hash: 56865e80c5f88c91e82eebc1906b49dcd2679fd10f3f32aab8375f0dbf905c92
Instruction Fuzzy Hash: 2C318372900119ABDB21AFA0DC49FEB37BEEF89750F1041A5F609D6260E7749B448F64

Function 0069E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0069E6B4

Part of subcall function 0064E551: timeGetTime.WINMM(?,?,0069E6D4), ref: 0064E555

Sleep.KERNEL32(0000000A), ref: 0069E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0069E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0069E727
SetActiveWindow.USER32 ref: 0069E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0069E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0069E773
Sleep.KERNEL32(000000FA), ref: 0069E77E
IsWindow.USER32 ref: 0069E78A
EndDialog.USER32(00000000), ref: 0069E79B

Strings

BUTTON, xrefs: 0069E719

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: af5f9a35b5afe6d170c24811374750dfa94cd0262dea5b6af6090b2a055829ea
Instruction ID: adfa3b79f24ca1eccdef53eab38d51df6f1b192709e10a63cee7b0fba03b4979
Opcode Fuzzy Hash: af5f9a35b5afe6d170c24811374750dfa94cd0262dea5b6af6090b2a055829ea
Instruction Fuzzy Hash: DF218E71200204EFEF00AF61EC8DE353B6FF754768B145524F50981AA2DF67AC41DB29

Function 0069E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0069EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0069EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0069EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0069EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0069EAA7

Strings

play PlayMe wait, xrefs: 0069EA91
play PlayMe, xrefs: 0069EAA2
close PlayMe, xrefs: 0069EA6E, 0069EA9B
open , xrefs: 0069EA0C
status PlayMe mode, xrefs: 0069EA58
alias PlayMe, xrefs: 0069EA36

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 9897c8bdbaab4de52321b8ed7ef8f5331796ce8c7af2b54711bf1ef1d4d0e060
Instruction ID: a2f7e871ea1e14d5bf0f3474a957c3ea725dfdb601e7ad33feb52501287bd36d
Opcode Fuzzy Hash: 9897c8bdbaab4de52321b8ed7ef8f5331796ce8c7af2b54711bf1ef1d4d0e060
Instruction Fuzzy Hash: DA117331A9026E79DB20E7A1DC4AEFF6B7EEBD1B10F410429B511A20E1EEF15D05C6B0

Function 00695CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00695CE2
GetWindowRect.USER32(00000000,?), ref: 00695CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00695D59
GetDlgItem.USER32(?,00000002), ref: 00695D69
GetWindowRect.USER32(00000000,?), ref: 00695D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00695DCF
GetDlgItem.USER32(?,000003E9), ref: 00695DDD
GetWindowRect.USER32(00000000,?), ref: 00695DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00695E31
GetDlgItem.USER32(?,000003EA), ref: 00695E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00695E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00695E67

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7796c33b552fb1a1c4bd9ceb666f9402ecec45ea1dd9e8ecb46d1c0c8bafe65d
Instruction ID: 4ab73c0ddec4e26f8a0553c44d7e7108a30ef8f8661681c43039af0f484ed00e
Opcode Fuzzy Hash: 7796c33b552fb1a1c4bd9ceb666f9402ecec45ea1dd9e8ecb46d1c0c8bafe65d
Instruction Fuzzy Hash: 94512FB0A00615AFDF18CF69CD99EAE7BBAFF48310F108129F51AE6690D7709E04CB50

Function 00648BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00648F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00648BE8,?,00000000,?,?,?,?,00648BBA,00000000,?), ref: 00648FC5

DestroyWindow.USER32(?), ref: 00648C81
KillTimer.USER32(00000000,?,?,?,?,00648BBA,00000000,?), ref: 00648D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00686973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00648BBA,00000000,?), ref: 006869A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00648BBA,00000000,?), ref: 006869B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00648BBA,00000000), ref: 006869D4
DeleteObject.GDI32(00000000), ref: 006869E6

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: febb8e471fa64a7a500ce6a192bdee414f0c2a77bfb76c9d3dc49e511b5f573e
Instruction ID: 2d9ca3f9397ac602b24d70d6da2628da8a74149e8f59a89a50c1916563dfe293
Opcode Fuzzy Hash: febb8e471fa64a7a500ce6a192bdee414f0c2a77bfb76c9d3dc49e511b5f573e
Instruction Fuzzy Hash: 1461AC30502711DFCB25AF14DA88BA977F3FB40326F54961CE0469B6A0CB75AD81CFA8

Function 00649838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00649944: GetWindowLongW.USER32(?,000000EB), ref: 00649952

GetSysColor.USER32(0000000F), ref: 00649862

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 52b9ef77c6a7912995ef54ab915c9f069bdf8da90ab43049cd887df4d530175f
Instruction ID: 9247609da9f9828876d85f25083b4ebad0723a3749f4f054049b252679725da1
Opcode Fuzzy Hash: 52b9ef77c6a7912995ef54ab915c9f069bdf8da90ab43049cd887df4d530175f
Instruction Fuzzy Hash: 974171311446449FDB209F3D9C84FBA37A7AB16330F284B55F9A6872E1D731D842DB21

Function 00668D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.e, xrefs: 0066903A, 00668FD0, 00668FF2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: .e
API String ID: 0-2491337497
Opcode ID: ec6363349a0c34fa68f0190584cc882fc0bb761c3d5069ab2c313c72d16dea80
Instruction ID: 3bd2fac480c31893b367b5fec667486647f63aa87dc0e4ee0aae947277e174a9
Opcode Fuzzy Hash: ec6363349a0c34fa68f0190584cc882fc0bb761c3d5069ab2c313c72d16dea80
Instruction Fuzzy Hash: 69C1D1B4A04249EFDF11DFA8D841BEDBBB6AF09310F14429DE815A7392CB349942CB75

Function 006996E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0067F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00699717
LoadStringW.USER32(00000000,?,0067F7F8,00000001), ref: 00699720

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0067F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00699742
LoadStringW.USER32(00000000,?,0067F7F8,00000001), ref: 00699745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00699866

Strings

Line %d:, xrefs: 006997A0
%s (%d) : ==> %s: %s %s, xrefs: 0069984A
^ ERROR, xrefs: 006997FB
Line %d (File "%s"):, xrefs: 0069978F
Error: , xrefs: 0069981D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: b6a08c758f5946e15e6c1286f017f20c98c338eabb68f1b7bc8047abd78f41ac
Instruction ID: 24173556cfcc5fdc876dd6a615092e2cf17742871222ccb9bdcc76fa30d886c1
Opcode Fuzzy Hash: b6a08c758f5946e15e6c1286f017f20c98c338eabb68f1b7bc8047abd78f41ac
Instruction Fuzzy Hash: AF414B72800219AADF44EBE4CE46EEEB37AEF55300F10442DF60572192EA756F49CAB5

Function 006906DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00636B57: _wcslen.LIBCMT ref: 00636B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 006907A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006907BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006907DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00690804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0069082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00690837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0069083C

Strings

SOFTWARE\Classes\, xrefs: 0069070E
\CLSID, xrefs: 00690724
\IPC$, xrefs: 00690784

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 0fb48669ce0c27d400a86a567dd646515b4b5934398e1961e77ca1b2f57d5da0
Instruction ID: ca2b5c342cd195c9a88fd0ffbcf68a1a1852f6066e9298fb678fc7da86fe2290
Opcode Fuzzy Hash: 0fb48669ce0c27d400a86a567dd646515b4b5934398e1961e77ca1b2f57d5da0
Instruction Fuzzy Hash: C3410672D10229AFDF15EBA4DC95DEDB77ABF44350F044129E906A72A1EB709E04CBA0

Function 006B3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006B3C5C
CoInitialize.OLE32(00000000), ref: 006B3C8A
CoUninitialize.OLE32 ref: 006B3C94
_wcslen.LIBCMT ref: 006B3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 006B3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 006B3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 006B3F0E
CoGetObject.OLE32(?,00000000,006CFB98,?), ref: 006B3F2D
SetErrorMode.KERNEL32(00000000), ref: 006B3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006B3FC4
VariantClear.OLEAUT32(?), ref: 006B3FD8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: f737ff67fbda0263baa47c6fd0922c53e3cf62182dceb205b8f99b60712e4415
Instruction ID: f001d77442bfea7753e560faf8a6abd281857101f897c375e09156661d3dae87
Opcode Fuzzy Hash: f737ff67fbda0263baa47c6fd0922c53e3cf62182dceb205b8f99b60712e4415
Instruction Fuzzy Hash: 42C135B16082119FD700DF68C8849ABBBEAFF89754F10491DF98A9B311DB30ED46CB52

Function 006A7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006A7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006A7B8F
SHGetDesktopFolder.SHELL32(?), ref: 006A7BA3
CoCreateInstance.OLE32(006CFD08,00000000,00000001,006F6E6C,?), ref: 006A7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006A7C74
CoTaskMemFree.OLE32(?,?), ref: 006A7CCC
SHBrowseForFolderW.SHELL32(?), ref: 006A7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006A7D7A
CoTaskMemFree.OLE32(00000000), ref: 006A7D81
CoTaskMemFree.OLE32(00000000), ref: 006A7DD6
CoUninitialize.OLE32 ref: 006A7DDC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 872c5a6e113f1cd8d9890b04714798f36ac24fc1f8cf7edf610955ad2447b8eb
Instruction ID: 13d0a9dcf00ee6cf7f837721723d6bfd28fa714767c37ea539b6a9d5dfe3b589
Opcode Fuzzy Hash: 872c5a6e113f1cd8d9890b04714798f36ac24fc1f8cf7edf610955ad2447b8eb
Instruction Fuzzy Hash: AAC1F975A04109AFCB14EF64C884DAEBBFAFF49314B148499E91A9B361D730ED45CF90

Function 006C541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006C5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006C5515
CharNextW.USER32(00000158), ref: 006C5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006C5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006C559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006C55AC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: dd73d6731fe306b8b4dffd040d55f5552888606e26678c470a451f2bc2ef4d9f
Instruction ID: 869389b50d4b31a259262f2df1bc5d634d47d5bb3bd0636491df7e8c0fbb72d8
Opcode Fuzzy Hash: dd73d6731fe306b8b4dffd040d55f5552888606e26678c470a451f2bc2ef4d9f
Instruction Fuzzy Hash: 49619E30900608EFDF109F55CD84EFE7BBAEF09720F508149F926AA291D774AAC1DB60

Function 0068FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0068FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0068FB08
VariantInit.OLEAUT32(?), ref: 0068FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0068FB3A
VariantCopy.OLEAUT32(?,?), ref: 0068FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0068FBA1
VariantClear.OLEAUT32(?), ref: 0068FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0068FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0068FBCC
VariantClear.OLEAUT32(?), ref: 0068FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0068FBE9

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 65ae3575def0d162a88ab73e7b39bb49c1250ea545a4f426012634288aad16fa
Instruction ID: 8b98e514bdf25a97d41bff7474fdf00d1cccc891c2832a3c2a40394984b7dca9
Opcode Fuzzy Hash: 65ae3575def0d162a88ab73e7b39bb49c1250ea545a4f426012634288aad16fa
Instruction Fuzzy Hash: E5412E35A00219DFCB04EF64D854DAEBBBAFF48354F00C169E95AA7261DB30A946CF90

Function 00699C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00699CA1
GetAsyncKeyState.USER32(000000A0), ref: 00699D22
GetKeyState.USER32(000000A0), ref: 00699D3D
GetAsyncKeyState.USER32(000000A1), ref: 00699D57
GetKeyState.USER32(000000A1), ref: 00699D6C
GetAsyncKeyState.USER32(00000011), ref: 00699D84
GetKeyState.USER32(00000011), ref: 00699D96
GetAsyncKeyState.USER32(00000012), ref: 00699DAE
GetKeyState.USER32(00000012), ref: 00699DC0
GetAsyncKeyState.USER32(0000005B), ref: 00699DD8
GetKeyState.USER32(0000005B), ref: 00699DEA

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 9848eed723c62b46e9448031dc30e05d3d966b9dab45f77ea63a203367427024
Instruction ID: c5d9c95824b1c90da0de24f2d68bfe571b89895d55df91045a8869fc0c409bd2
Opcode Fuzzy Hash: 9848eed723c62b46e9448031dc30e05d3d966b9dab45f77ea63a203367427024
Instruction Fuzzy Hash: 6C41F930504BC96DFF30876888443F5BEAA6F12354F44805EC6C656BC2EBA599C8C7B2

Function 006B055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006B05BC
inet_addr.WSOCK32(?), ref: 006B061C
gethostbyname.WSOCK32(?), ref: 006B0628
IcmpCreateFile.IPHLPAPI ref: 006B0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006B06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006B06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 006B07B9
WSACleanup.WSOCK32 ref: 006B07BF

Strings

Ping, xrefs: 006B0676

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4ea3b72839bd0adec4f447a1bd179706919125260e0b93586b3770b6992f36cf
Instruction ID: 437c82ebe973a49e728510c3fedb892ae6441d768b9285ca17b6971f8bb96635
Opcode Fuzzy Hash: 4ea3b72839bd0adec4f447a1bd179706919125260e0b93586b3770b6992f36cf
Instruction Fuzzy Hash: FD918EB55042019FE720CF15C588F9BBBE2AF44318F1485A9F4698B7A2CB70ED85CF91

Function 006B8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 006B8CF3

Part of subcall function 00698E54: _wcslen.LIBCMT ref: 00698E77

_wcslen.LIBCMT ref: 006B8D4E
_wcslen.LIBCMT ref: 006B8D9C
_wcslen.LIBCMT ref: 006B8DDC
_wcslen.LIBCMT ref: 006B8E6E

Strings

cdecl, xrefs: 006B8D48, 006B8D4D
none, xrefs: 006B8E65, 006B8E6A
stdcall, xrefs: 006B8DD6, 006B8DDB
winapi, xrefs: 006B8D96, 006B8D9B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 1cd90c915bb1b67269219e239ef034ada49def6830d95d66a1fed82434a1b27a
Instruction ID: d24cf44c6e5d9b451d1a91d18fbbe277e57d381706052fafb749c6abb5329a8b
Opcode Fuzzy Hash: 1cd90c915bb1b67269219e239ef034ada49def6830d95d66a1fed82434a1b27a
Instruction Fuzzy Hash: EF5180B1A041169FCB14DF68C9519FEB7ABAF64324B204229E826E7385DB30DD81CBD0

Function 006B372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 006B3774
CoUninitialize.OLE32 ref: 006B377F
CoCreateInstance.OLE32(?,00000000,00000017,006CFB78,?), ref: 006B37D9
IIDFromString.OLE32(?,?), ref: 006B384C
VariantInit.OLEAUT32(?), ref: 006B38E4
VariantClear.OLEAUT32(?), ref: 006B3936

Strings

Invalid parameter, xrefs: 006B3865
NULL Pointer assignment, xrefs: 006B381E
Failed to create object, xrefs: 006B37E4, 006B389A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 66d1f6be5c612aa6140cef122228e9112dd1ddbbd57b7480d484b2e33dcd227a
Instruction ID: 56a4849acb614bbe32741f39689b34b3f815625c08f0a7b6a999b32da266854d
Opcode Fuzzy Hash: 66d1f6be5c612aa6140cef122228e9112dd1ddbbd57b7480d484b2e33dcd227a
Instruction Fuzzy Hash: 60618DB0708321AFD710DF54C848BAABBEAAF45710F00481DF5859B391DB70EE89CB96

Function 006C8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00649BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00649BB2

Part of subcall function 0064912D: GetCursorPos.USER32(?), ref: 00649141
Part of subcall function 0064912D: ScreenToClient.USER32(00000000,?), ref: 0064915E
Part of subcall function 0064912D: GetAsyncKeyState.USER32(00000001), ref: 00649183
Part of subcall function 0064912D: GetAsyncKeyState.USER32(00000002), ref: 0064919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 006C8B6B
ImageList_EndDrag.COMCTL32 ref: 006C8B71
ReleaseCapture.USER32 ref: 006C8B77
SetWindowTextW.USER32(?,00000000), ref: 006C8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006C8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 006C8CFF

Strings

@GUI_DRAGFILE, xrefs: 006C8C9A
@GUI_DROPID, xrefs: 006C8C51
p#p, xrefs: 006C8C71

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#p
API String ID: 1924731296-746741009
Opcode ID: 152c565c14d7968b114d9547f16092a2b06da4d66c73e11449324189568dc8a9
Instruction ID: e7ec727686eb923ae4fea9d9bf3e46e50aa490bac95e3ec6927cebc707b81948
Opcode Fuzzy Hash: 152c565c14d7968b114d9547f16092a2b06da4d66c73e11449324189568dc8a9
Instruction Fuzzy Hash: A7518A70204204AFD714DF14D896FBA77E6FB88710F40062DF996672E1CB74A944CBA6

Function 006A3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 006A33CF

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 006A33F0

Strings

Line %d (File "%s"):, xrefs: 006A3443, 006A345C
Incorrect parameters to object property !, xrefs: 006A34AB
^ ERROR , xrefs: 006A349E
"%s" (%d) : ==> %s:, xrefs: 006A3522
Error: , xrefs: 006A34D1
"%s" (%d) : ==> %s:%s%s, xrefs: 006A3504

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: c0d3141e79a195ea5c5b561026881f4cdf8df737209a90ca61da708129533612
Instruction ID: 2a7cd7f6aa2541968203d6645dd322f1c2eb3371f9a10d7f231547062dbe879b
Opcode Fuzzy Hash: c0d3141e79a195ea5c5b561026881f4cdf8df737209a90ca61da708129533612
Instruction Fuzzy Hash: 1D519D71C00219AADF15EBA0CD42EEEB77AEF05300F108169F505722A2EB752F58DFA4

Function 0069B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0069B5FC
_wcslen.LIBCMT ref: 0069B608
_wcslen.LIBCMT ref: 0069B64D
_wcslen.LIBCMT ref: 0069B68C
_wcslen.LIBCMT ref: 0069B6C7

Strings

APPEND, xrefs: 0069B6C1, 0069B6C6
REMOVE, xrefs: 0069B602, 0069B607
EXISTS, xrefs: 0069B686, 0069B68B
KEYS, xrefs: 0069B647, 0069B64C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 7cbc884e18f77e45905497da1278124d50ddd016476e84ee6256c472e9406c1c
Instruction ID: b5daca5d8228c380b7aa1f0dd51154e1ba2d69bbd354330c94cc6f2a03d3bd0b
Opcode Fuzzy Hash: 7cbc884e18f77e45905497da1278124d50ddd016476e84ee6256c472e9406c1c
Instruction Fuzzy Hash: 9241F832A000269BCF106F7DDE905FE7BABAFA1754B245229E421DB784E731ED81C790

Function 006A5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006A53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006A5416
GetLastError.KERNEL32 ref: 006A5420
SetErrorMode.KERNEL32(00000000,READY), ref: 006A54A7

Strings

INVALID, xrefs: 006A5459
READY, xrefs: 006A5460, 006A5468
READONLY, xrefs: 006A5452
NOTREADY, xrefs: 006A544B
UNKNOWN, xrefs: 006A5444

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0e84cc7aba6c90765c4d67ce3a0fa9a73198b1b714a4d15d7a6472725be789b1
Instruction ID: 940cdfa53bb05569d055e9eadb2654942e4ed0d01cc7ba250c8c7bc6f667026a
Opcode Fuzzy Hash: 0e84cc7aba6c90765c4d67ce3a0fa9a73198b1b714a4d15d7a6472725be789b1
Instruction Fuzzy Hash: 05319135A006049FC710EF68C484AE9BBF6EF5A305F188069E506DB352DB70DD86CF90

Function 006C3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 006C3C79
SetMenu.USER32(?,00000000), ref: 006C3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006C3D10
IsMenu.USER32(?), ref: 006C3D24
CreatePopupMenu.USER32 ref: 006C3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006C3D5B
DrawMenuBar.USER32 ref: 006C3D63

Strings

0, xrefs: 006C3C54
F, xrefs: 006C3D4E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 2844f588ce750d5d8624d36e2ce9009b69c55bc84b33a04fd3c6178a37ce391a
Instruction ID: 9852ffae82777c9d453456779687833d2866faa9e6adab2611f287efbb4026fc
Opcode Fuzzy Hash: 2844f588ce750d5d8624d36e2ce9009b69c55bc84b33a04fd3c6178a37ce391a
Instruction Fuzzy Hash: 74414775A01219EFDB14CF64D854FEA7BB6FF49350F14402DE94AA7360D731AA10CB94

Function 006C3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006C3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006C3AA0
GetWindowLongW.USER32(?,000000F0), ref: 006C3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006C3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006C3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 006C3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 006C3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 006C3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 006C3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 006C3C13

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 7939209823d00089838a35427055975ecc8051f0adca3034fc4776b75c7d5432
Instruction ID: 4db7a3e85cffc2a39ff6946b7404a707786e4b8a0f72509b584924b3c2e4f299
Opcode Fuzzy Hash: 7939209823d00089838a35427055975ecc8051f0adca3034fc4776b75c7d5432
Instruction Fuzzy Hash: BD616775A00258AFDB10DFA8CC81EFE77B9EB09710F108199FA15A73A1C774AE41DB64

Function 0069B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0069B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0069A1E1,?,00000001), ref: 0069B165
GetWindowThreadProcessId.USER32(00000000), ref: 0069B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0069A1E1,?,00000001), ref: 0069B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0069B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0069A1E1,?,00000001), ref: 0069B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0069A1E1,?,00000001), ref: 0069B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0069A1E1,?,00000001), ref: 0069B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0069A1E1,?,00000001), ref: 0069B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0069A1E1,?,00000001), ref: 0069B21D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 04100650cb9ced095bbd767dd24f56cf5603d8b300540a452f776ff61e618913
Instruction ID: d91289aa0f4e603cf259cb3cc1460b4b9f03c6d95e8793a63cca268908e91bee
Opcode Fuzzy Hash: 04100650cb9ced095bbd767dd24f56cf5603d8b300540a452f776ff61e618913
Instruction Fuzzy Hash: 90318E71500204EFDF109F25EE48FBD7BAFEB51321F14A115FA05DA690DBB8AA418F64

Function 00662C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00662C94

Part of subcall function 006629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000), ref: 006629DE
Part of subcall function 006629C8: GetLastError.KERNEL32(00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000,00000000), ref: 006629F0

_free.LIBCMT ref: 00662CA0
_free.LIBCMT ref: 00662CAB
_free.LIBCMT ref: 00662CB6
_free.LIBCMT ref: 00662CC1
_free.LIBCMT ref: 00662CCC
_free.LIBCMT ref: 00662CD7
_free.LIBCMT ref: 00662CE2
_free.LIBCMT ref: 00662CED
_free.LIBCMT ref: 00662CFB

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8fd58b216464ed3ef03a6df00223c8698bc19884952db7106d344ca2f484f97c
Instruction ID: a5d6193c08b685e3806df69be59f48760e4647ab2d45d02774135ba89d1ee5fe
Opcode Fuzzy Hash: 8fd58b216464ed3ef03a6df00223c8698bc19884952db7106d344ca2f484f97c
Instruction Fuzzy Hash: 57112B36600409BFCB46EF55D852CDC3BA6FF45780F4041A8F9485F232D631EE509B94

Function 006A7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006A7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 006A7FC1
GetFileAttributesW.KERNEL32(?), ref: 006A7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 006A8005
SetCurrentDirectoryW.KERNEL32(?), ref: 006A8017
SetCurrentDirectoryW.KERNEL32(?), ref: 006A8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 006A80B0

Strings

*.*, xrefs: 006A8066

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: cadd2e885f73fdb83592fa2c1e82fa1aaac9ed2a989b480bf9df8f962cc57672
Instruction ID: 46e3d9c60edb627051499cdc7b6e32abcc40c756eb4f81eb5a8ba4d2d42f33d1
Opcode Fuzzy Hash: cadd2e885f73fdb83592fa2c1e82fa1aaac9ed2a989b480bf9df8f962cc57672
Instruction Fuzzy Hash: 8581AF725082459FCB24FF14C8449AAB3EABF8A310F144C6EF889D7251EB35DD498F92

Function 00635BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00635C7A

Part of subcall function 00635D0A: GetClientRect.USER32(?,?), ref: 00635D30
Part of subcall function 00635D0A: GetWindowRect.USER32(?,?), ref: 00635D71
Part of subcall function 00635D0A: ScreenToClient.USER32(?,?), ref: 00635D99

GetDC.USER32 ref: 006746F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00674708
SelectObject.GDI32(00000000,00000000), ref: 00674716
SelectObject.GDI32(00000000,00000000), ref: 0067472B
ReleaseDC.USER32(?,00000000), ref: 00674733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006747C4

Strings

U, xrefs: 00674693

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0e2601072b06e06651135e08866effb70feb77c0907eb7f207e074ce9a559031
Instruction ID: 4a9fcd97c466792f1d390e0455f490e98aded9cbe6a838706f47c817c1611963
Opcode Fuzzy Hash: 0e2601072b06e06651135e08866effb70feb77c0907eb7f207e074ce9a559031
Instruction Fuzzy Hash: 3C71B031500205DFCF258F64C988AFA7BB7FF4A364F148269ED5A5A2A6CB31D842DF50

Function 006A359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006A35E4

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

LoadStringW.USER32(00702390,?,00000FFF,?), ref: 006A360A

Strings

^ ERROR, xrefs: 006A36C9
Line %d (File "%s"):, xrefs: 006A366B
"%s" (%d) : ==> %s:, xrefs: 006A3742
Error: , xrefs: 006A36EF
"%s" (%d) : ==> %s:%s%s, xrefs: 006A3724

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: cbfe834f73565fbdce1b98c92831d6bd0a2e0d30c7bc4970c159141c5ef8c01d
Instruction ID: c2f44211927776a62a9184614480131dd060a022bd402991207b71798f1e8eb2
Opcode Fuzzy Hash: cbfe834f73565fbdce1b98c92831d6bd0a2e0d30c7bc4970c159141c5ef8c01d
Instruction Fuzzy Hash: 29516171C00219BBDF55EBA0CC42EEDBB7AEF05300F549129F105722A1DB715A95DFA8

Function 006AC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006AC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006AC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006AC2CA
GetLastError.KERNEL32 ref: 006AC322
SetEvent.KERNEL32(?), ref: 006AC336
InternetCloseHandle.WININET(00000000), ref: 006AC341

Strings

, xrefs: 006AC2BB

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: c9dc4a58a20ee73a6cef10d424fb4cbcce027754a8297c19a5a0a06140abaff0
Instruction ID: 9e5ddf47df7acc13e32508b2b585238e5ab9977a8075b72157db0fbd2451d895
Opcode Fuzzy Hash: c9dc4a58a20ee73a6cef10d424fb4cbcce027754a8297c19a5a0a06140abaff0
Instruction Fuzzy Hash: 7E316DB1500204AFDB21AF648888EBB7AFEEF4A764F14851EF44A92200DB34DD059F70

Function 0069989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00673AAF,?,?,Bad directive syntax error,006CCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 006998BC
LoadStringW.USER32(00000000,?,00673AAF,?), ref: 006998C3

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00699987

Strings

Line %d:, xrefs: 00699912
., xrefs: 0069996D
Line %d (File "%s"):, xrefs: 0069992D
%s (%d) : ==> %s.: %s %s, xrefs: 006998F1
Error: , xrefs: 00699955

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: d2cb8a21e2d6abb0c9e9ed8b1513eb3471586497b72403836c49e04ca781018c
Instruction ID: 5fdc816176ab9951a6c420078564134e83f25f8d3b306cd72157f60e29a858a6
Opcode Fuzzy Hash: d2cb8a21e2d6abb0c9e9ed8b1513eb3471586497b72403836c49e04ca781018c
Instruction Fuzzy Hash: 30213C3284021AABDF15AF90CC06EEE777AFF18300F049459F519661A2EA719618DB64

Function 0069209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006920AB
GetClassNameW.USER32(00000000,?,00000100), ref: 006920C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0069214D

Strings

largeicons, xrefs: 006920E1
list, xrefs: 0069212F
details, xrefs: 006920FB
SHELLDLL_DefView, xrefs: 006920CC
smallicons, xrefs: 00692115

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 33ad7081fca0a167503000ddbd5f0ddd4a97ab07fe658f8083198db120c20f44
Instruction ID: 908449e8e804d70dd65ef5d6fb49620c2f29b071d4febbbf4e43368cbb333e3c
Opcode Fuzzy Hash: 33ad7081fca0a167503000ddbd5f0ddd4a97ab07fe658f8083198db120c20f44
Instruction Fuzzy Hash: 0811367668870BBAFE012221DC2BCF6379FCB05329F21005AFB05A55D5EE616C565618

Function 0066CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0066CEB7
_free.LIBCMT ref: 0066CF22
_free.LIBCMT ref: 0066CF48
_free.LIBCMT ref: 0066CF71
_free.LIBCMT ref: 0066CFA9
_free.LIBCMT ref: 0066CFDA
_free.LIBCMT ref: 0066D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0066D09C
_free.LIBCMT ref: 0066D0B5

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 6f14eb13d75000f40550313cd8c23cbe0c43c128e30a97328be45db89037b520
Instruction ID: 8ffa67f347d4a17c413fc2edd41625f45ce58452bb6b1147a234b2a65d4544d8
Opcode Fuzzy Hash: 6f14eb13d75000f40550313cd8c23cbe0c43c128e30a97328be45db89037b520
Instruction Fuzzy Hash: C0615BB1B04B01AFDB25AFB49C51BB97BA7EF05370F04426DF98497381DA369D0187A4

Function 006C50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 006C5186
ShowWindow.USER32(?,00000000), ref: 006C51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 006C51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 006C51D1

Part of subcall function 006C6FBA: DeleteObject.GDI32(00000000), ref: 006C6FE6

GetWindowLongW.USER32(?,000000F0), ref: 006C520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006C521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006C524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 006C5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 006C5296

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: dfba55669e425a94e2ef7bb903d62308ace5dbaf866f997cd30c21b82c679eb0
Instruction ID: 47d6760dc4ab84cefa3408ba25b324da2dd1af2d9cf5e07cc0101bbf2eb1bd11
Opcode Fuzzy Hash: dfba55669e425a94e2ef7bb903d62308ace5dbaf866f997cd30c21b82c679eb0
Instruction Fuzzy Hash: 5C51A030A50A08BEEF209F24CC49FF97BA7EB05325F584119F516966E1C779BAC0DB40

Function 00648B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00686890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006868A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006868B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 006868D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006868F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00648874,00000000,00000000,00000000,000000FF,00000000), ref: 00686901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0068691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00648874,00000000,00000000,00000000,000000FF,00000000), ref: 0068692D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: cae1b63481f31e1a2b8d397953edeec2b329509bf30f23d70c525ef73bc79d26
Instruction ID: 912a6cd740fbd22ff2338d9ce5e4bf03ee78682817c2d98a66d4ae31a8139f3a
Opcode Fuzzy Hash: cae1b63481f31e1a2b8d397953edeec2b329509bf30f23d70c525ef73bc79d26
Instruction Fuzzy Hash: 73515870A00209EFDB20DF25CC55FAA7BB7EB58760F104618F956972E0DB70E991DB50

Function 006AC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006AC182
GetLastError.KERNEL32 ref: 006AC195
SetEvent.KERNEL32(?), ref: 006AC1A9

Part of subcall function 006AC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006AC272
Part of subcall function 006AC253: GetLastError.KERNEL32 ref: 006AC322
Part of subcall function 006AC253: SetEvent.KERNEL32(?), ref: 006AC336
Part of subcall function 006AC253: InternetCloseHandle.WININET(00000000), ref: 006AC341

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 9f1af8f7e1b9719255151793b2d059b71999b25c73c918ff1e7322ce2ee8adeb
Instruction ID: e4250e4930e81d935e51987ee7b5f93bc9416e3708a06d952a21ef208903c37a
Opcode Fuzzy Hash: 9f1af8f7e1b9719255151793b2d059b71999b25c73c918ff1e7322ce2ee8adeb
Instruction Fuzzy Hash: 30318C71200605AFDB21AFA5DD44AB6BBFAFF5A320B04441EF95A82710D731EE15DFA0

Function 006925A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00693A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00693A57
Part of subcall function 00693A3D: GetCurrentThreadId.KERNEL32 ref: 00693A5E
Part of subcall function 00693A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006925B3), ref: 00693A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 006925BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006925DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 006925DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 006925E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00692601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00692605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0069260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00692623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00692627

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b0c5ab0b4d41b2ee4996a1a368d4fe998532ea087526af77d8909cfcb822539f
Instruction ID: a6d2b105f9eb94615716949928a7aa619e6e458e2023abddf57ca13c2adc9eeb
Opcode Fuzzy Hash: b0c5ab0b4d41b2ee4996a1a368d4fe998532ea087526af77d8909cfcb822539f
Instruction Fuzzy Hash: DA01D430790220BBFB106769DC8AF693F5EDB4EB22F111005F318AE1D1C9E224449AA9

Function 00691803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00691449,?,?,00000000), ref: 0069180C
HeapAlloc.KERNEL32(00000000,?,00691449,?,?,00000000), ref: 00691813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00691449,?,?,00000000), ref: 00691828
GetCurrentProcess.KERNEL32(?,00000000,?,00691449,?,?,00000000), ref: 00691830
DuplicateHandle.KERNEL32(00000000,?,00691449,?,?,00000000), ref: 00691833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00691449,?,?,00000000), ref: 00691843
GetCurrentProcess.KERNEL32(00691449,00000000,?,00691449,?,?,00000000), ref: 0069184B
DuplicateHandle.KERNEL32(00000000,?,00691449,?,?,00000000), ref: 0069184E
CreateThread.KERNEL32(00000000,00000000,00691874,00000000,00000000,00000000), ref: 00691868

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 503a569fc5f28999a874c8c6e59bb117ae833d3585ba8e5fcb10fe26db0bddf3
Instruction ID: c550b02221e8c1eea311f2cdf180b947daf590424e2f2996c06aafe997e8b9f0
Opcode Fuzzy Hash: 503a569fc5f28999a874c8c6e59bb117ae833d3585ba8e5fcb10fe26db0bddf3
Instruction Fuzzy Hash: 3701CDB5240748BFE710AFB6DC4DF6B3BADEB89B11F055411FA09DB5A1CA749800DB20

Function 006BA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0069D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0069D501
Part of subcall function 0069D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0069D50F
Part of subcall function 0069D4DC: CloseHandle.KERNELBASE(00000000), ref: 0069D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 006BA16D
GetLastError.KERNEL32 ref: 006BA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006BA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 006BA268
GetLastError.KERNEL32(00000000), ref: 006BA273
CloseHandle.KERNEL32(00000000), ref: 006BA2C4

Strings

SeDebugPrivilege, xrefs: 006BA18F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: d6318e60bd9649a405b54dd325b9d86effd3228f3af67489df832d3398adf80c
Instruction ID: 45b99aeb7245ca6f167215f43c4e2be4615d3260efd3fa2bba8741829a18602f
Opcode Fuzzy Hash: d6318e60bd9649a405b54dd325b9d86effd3228f3af67489df832d3398adf80c
Instruction Fuzzy Hash: D6619270204241AFD710DF59C494FA5BBE6AF44318F18849CF45A4BB93C772ED85CB92

Function 006C3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006C3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 006C393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006C3954
_wcslen.LIBCMT ref: 006C3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 006C39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006C39F4

Strings

SysListView32, xrefs: 006C38F7

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: c8644630e600642d4be5bf2d13071a3978df967e303d531e590e30a045d8a5bb
Instruction ID: 97794cceba19afc483ccd339241fed0a5ba08ea9f099e4d8956b0745e2e149a1
Opcode Fuzzy Hash: c8644630e600642d4be5bf2d13071a3978df967e303d531e590e30a045d8a5bb
Instruction Fuzzy Hash: 1D41A371A00219ABDF219F64CC45FFA7BAAEF08354F10452AF958E7381D775DA80CB90

Function 0069BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0069BCFD
IsMenu.USER32(00000000), ref: 0069BD1D
CreatePopupMenu.USER32 ref: 0069BD53
GetMenuItemCount.USER32(01405C28), ref: 0069BDA4
InsertMenuItemW.USER32(01405C28,?,00000001,00000030), ref: 0069BDCC

Strings

2, xrefs: 0069BD37
0, xrefs: 0069BCA8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 87ec12e5702a6f4ec70cb599bf58effc5d61e6cd77bba364642ce00953c4da23
Instruction ID: f240e8da2822943e0bc72f14a61f24361273d8c824ce697f14e3e17f950b9ebc
Opcode Fuzzy Hash: 87ec12e5702a6f4ec70cb599bf58effc5d61e6cd77bba364642ce00953c4da23
Instruction Fuzzy Hash: 5051AD70A002099BDF10CFA8EA88BEEBBFEAF45324F146159E405A7790D7709949CB61

Function 00652D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00652D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00652D53
_ValidateLocalCookies.LIBCMT ref: 00652DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00652E0C
_ValidateLocalCookies.LIBCMT ref: 00652E61

Strings

csm, xrefs: 00652DF6
&He, xrefs: 00652DFE, 00652E07, 00652E18

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &He$csm
API String ID: 1170836740-3927386944
Opcode ID: 314521653874fbe3d5e2a87aceff633705e17915ded4d1ac7691e4b12c6acaed
Instruction ID: c21be49ebf434e2db91cef3a3b37747ca623853331dffaeba16870aef6e7cf32
Opcode Fuzzy Hash: 314521653874fbe3d5e2a87aceff633705e17915ded4d1ac7691e4b12c6acaed
Instruction Fuzzy Hash: EA41A634E0021ADBCF14DF68C855ADEBBB6BF46366F148159EC146B352D731AA09CBD0

Function 0069C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0069C913

Strings

stop, xrefs: 0069C8E4
info, xrefs: 0069C8B4
warning, xrefs: 0069C8FC
question, xrefs: 0069C8CC
blank, xrefs: 0069C895

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 0da13534c9e45fb7a4d2f6376dbb4a36e91d59e441ba54ea0c4e45ec25a1d377
Instruction ID: b9de1cb482d869692ae94ddd2d5c718324ecc556be74e0df7b7544559a28aebc
Opcode Fuzzy Hash: 0da13534c9e45fb7a4d2f6376dbb4a36e91d59e441ba54ea0c4e45ec25a1d377
Instruction Fuzzy Hash: AA110D3168D30ABAEF056B55DC83CFA779EDF15379B20002EF904A6682DB705D415368

Function 0069DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 0069DE42
gethostname.WSOCK32(?,00000100), ref: 0069DE5C
gethostbyname.WSOCK32(?), ref: 0069DE69
inet_ntoa.WSOCK32(?), ref: 0069DEAB
_strcat.LIBCMT ref: 0069DEB9
WSACleanup.WSOCK32 ref: 0069DEDE

Strings

0.0.0.0, xrefs: 0069DE87

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 735a9afe350c8dadf6db5aa92cc5b6d3605c5cc137cdf570fa624b246b8747cc
Instruction ID: 7c000348254053af0c725491c7d57f20c62d5c33e20cae30be1020a73dbe1af3
Opcode Fuzzy Hash: 735a9afe350c8dadf6db5aa92cc5b6d3605c5cc137cdf570fa624b246b8747cc
Instruction Fuzzy Hash: 8F112671904109AFCF60AB64DC4AEFF77AEDF10761F0101BDF509AA191EF71CA818A64

Function 0069ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0069ED2A
_wcslen.LIBCMT ref: 0069ED3B
_wcslen.LIBCMT ref: 0069ED79
_wcslen.LIBCMT ref: 0069EDAF
_wcslen.LIBCMT ref: 0069EDDF
_wcslen.LIBCMT ref: 0069EDEF
_wcslen.LIBCMT ref: 0069EE2B
_wcslen.LIBCMT ref: 0069EE5A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 26457b0daddb811eca9b9b830a0837a60ef1593434d44a9661ed46f209fc7960
Instruction ID: 66536846cd0d031f1760631de94e258d1242a7b80618dbf55b189b6930f17baf
Opcode Fuzzy Hash: 26457b0daddb811eca9b9b830a0837a60ef1593434d44a9661ed46f209fc7960
Instruction Fuzzy Hash: CB41B065C1021865CB51EBB4C88A9DFB3AEAF05311F40846AF918E3522EB34E349C3E9

Function 0064F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0068682C,00000004,00000000,00000000), ref: 0064F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0068682C,00000004,00000000,00000000), ref: 0068F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0068682C,00000004,00000000,00000000), ref: 0068F454

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f752b948b5f0a7d363791f69fb70008c58e75927954bb2bc6ddec018ef91e1cc
Instruction ID: abd0a3b6dc99e454293448b08fc25e6400fb6f8b56cfe21c1a5da34b5612c567
Opcode Fuzzy Hash: f752b948b5f0a7d363791f69fb70008c58e75927954bb2bc6ddec018ef91e1cc
Instruction Fuzzy Hash: 1A411831618680FFD7399F298888BBA7BD3AF56324F18553DF08B56761C732A881CB51

Function 006C2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006C2D1B
GetDC.USER32(00000000), ref: 006C2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006C2D2E
ReleaseDC.USER32(00000000,00000000), ref: 006C2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006C2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006C2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006C5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 006C2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006C2DE1

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 7f3a60a584ee969e569eb97cde8590baa53adab3ff5313f5d043aeb0ab39e46c
Instruction ID: c67d87e1f323b139a633731e6526b666f13d443d98f5f682196e4add910d8408
Opcode Fuzzy Hash: 7f3a60a584ee969e569eb97cde8590baa53adab3ff5313f5d043aeb0ab39e46c
Instruction Fuzzy Hash: E3319C72201214BFEB118F50CC8AFFB3BAAEF19721F084055FE099A291C6759C41CBA4

Function 00695622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00695637
_memcmp.LIBVCRUNTIME ref: 00695659
_memcmp.LIBVCRUNTIME ref: 00695671
_memcmp.LIBVCRUNTIME ref: 00695684
_memcmp.LIBVCRUNTIME ref: 0069569E
_memcmp.LIBVCRUNTIME ref: 006956B1
_memcmp.LIBVCRUNTIME ref: 006956C9
_memcmp.LIBVCRUNTIME ref: 006956E4

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 13d375a450ede4e9e1fd21143de0d093dce2100a5d0fb13787132be02535644c
Instruction ID: 83714a915d3fae7a27a37574a26a3daf2c15caaf0e9e9bf810756fb821f5e71f
Opcode Fuzzy Hash: 13d375a450ede4e9e1fd21143de0d093dce2100a5d0fb13787132be02535644c
Instruction Fuzzy Hash: 6921F571740A09779A165A209DB2FFB334FEF21385F440029FD069EA81FB21EE1583A9

Function 006B4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 006B502E, 006B5383
Not an Object type, xrefs: 006B5007

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: ac5de6f82c0f3fc779aba0a74297634521105fc507eabdc9b0d73a686c01557b
Instruction ID: 985d988988ad5b51c8869cc1df8afe3048e5c1780ea906f79f173cc0fc23c9b2
Opcode Fuzzy Hash: ac5de6f82c0f3fc779aba0a74297634521105fc507eabdc9b0d73a686c01557b
Instruction Fuzzy Hash: 91D19FB1A0060A9FDF14DF98C881BEEB7B6BF48354F148069E916AB381E771DD85CB50

Function 00671522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,006717FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 006715CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00671651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,006717FB,?,006717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006716E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 006716FB

Part of subcall function 00663820: RtlAllocateHeap.NTDLL(00000000,?,00701444,?,0064FDF5,?,?,0063A976,00000010,00701440,006313FC,?,006313C6,?,00631129), ref: 00663852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006717FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00671777
__freea.LIBCMT ref: 006717A2
__freea.LIBCMT ref: 006717AE

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 0df51417af9b5813fb6401ce84c0beae384576a3b60e01fa735e3b98577f2ee7
Instruction ID: 1c63d46d7ca5a77707fdd51a49ecaac6c469869d59cf21c8202a96a5a9418af5
Opcode Fuzzy Hash: 0df51417af9b5813fb6401ce84c0beae384576a3b60e01fa735e3b98577f2ee7
Instruction Fuzzy Hash: 899185B1E002169AEF288E7CC851EEE7BB79F46710F18865AE809EF241D735DD45C7A0

Function 006B4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006B4648
VariantInit.OLEAUT32(?), ref: 006B4749
VariantClear.OLEAUT32(?), ref: 006B4753
VariantClear.OLEAUT32(?), ref: 006B47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 006B472C
Null Object assignment in FOR..IN loop, xrefs: 006B45D8, 006B4706, 006B47BE

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 204a522ce7f4ebf128adb3605dec74c816e65bab10c6cee0817d4805b9858dcf
Instruction ID: 0baaa058638b39449a84328d5db74abd84df8d007de2deb04f3f6b0095e26203
Opcode Fuzzy Hash: 204a522ce7f4ebf128adb3605dec74c816e65bab10c6cee0817d4805b9858dcf
Instruction Fuzzy Hash: FF9176B1A00215ABDF24CF65C844FEE7BBAEF46714F10855DF505AB282DB709985CF90

Function 006A1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 006A125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 006A1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 006A12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006A12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006A135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006A13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 006A1430

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: cd963e7dea160f213faf6185fe176348aad0bcee6488341565e12b26c5be8b76
Instruction ID: 2f64bcce522382f5a283911503e7aeda328f69d08be59daed31a6d1538200821
Opcode Fuzzy Hash: cd963e7dea160f213faf6185fe176348aad0bcee6488341565e12b26c5be8b76
Instruction Fuzzy Hash: 75919E719002099FDB40AF98C885BBEB7F6FF46325F148029E541EB291D774AD41CF94

Function 0064948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 2e6ce1df52bf2cf5c50c18e9b8ba03639b864dc5da700e45673e3ae0d0734811
Instruction ID: 27c0d4f6a45310135206db172cec6607e05003279b23f5d713897712e47c2924
Opcode Fuzzy Hash: 2e6ce1df52bf2cf5c50c18e9b8ba03639b864dc5da700e45673e3ae0d0734811
Instruction Fuzzy Hash: C4912671D40219EFCB14CFA9CC84AEEBBBAFF49320F248159E515B7251D375AA42CB60

Function 006B3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006B396B
CharUpperBuffW.USER32(?,?), ref: 006B3A7A
_wcslen.LIBCMT ref: 006B3A8A
VariantClear.OLEAUT32(?), ref: 006B3C1F

Part of subcall function 006A0CDF: VariantInit.OLEAUT32(00000000), ref: 006A0D1F
Part of subcall function 006A0CDF: VariantCopy.OLEAUT32(?,?), ref: 006A0D28
Part of subcall function 006A0CDF: VariantClear.OLEAUT32(?), ref: 006A0D34

Strings

Incorrect Parameter format, xrefs: 006B39A6, 006B3BA1
AUTOIT.ERROR, xrefs: 006B3A80, 006B3A85

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 061f2040c6d5312fef3078fe9a8fa1cebad9a90e0b6f89806b3bbf85b304c0ca
Instruction ID: 4808ae7f76a45ae96a9aa83dc45fcfd663313c71765ac1081adfd55eaabefc5d
Opcode Fuzzy Hash: 061f2040c6d5312fef3078fe9a8fa1cebad9a90e0b6f89806b3bbf85b304c0ca
Instruction Fuzzy Hash: 03917AB56083159FC744DF24C4809AAB7E6FF89314F14882DF8899B351DB30EE46CB96

Function 006B4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0069000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0068FF41,80070057,?,?,?,0069035E), ref: 0069002B
Part of subcall function 0069000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0068FF41,80070057,?,?), ref: 00690046
Part of subcall function 0069000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0068FF41,80070057,?,?), ref: 00690054
Part of subcall function 0069000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0068FF41,80070057,?), ref: 00690064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 006B4C51
_wcslen.LIBCMT ref: 006B4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 006B4DCF
CoTaskMemFree.OLE32(?), ref: 006B4DDA

Strings

NULL Pointer assignment, xrefs: 006B4E23, 006B4E52

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 353df73baf4130d8d84d1eac04942656e8986e75d805be9d01aa8c81185e83ac
Instruction ID: 560c67757f96a1987494aa5c114bfce5be14cb2e980ddda0b2465b1a028bc288
Opcode Fuzzy Hash: 353df73baf4130d8d84d1eac04942656e8986e75d805be9d01aa8c81185e83ac
Instruction Fuzzy Hash: 849108B1D0021DAFDF14DFA4C891EEEBBBABF08310F104569E915A7251DB709A45CFA0

Function 006C20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006C2183
GetMenuItemCount.USER32(00000000), ref: 006C21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006C21DD
_wcslen.LIBCMT ref: 006C2213
GetMenuItemID.USER32(?,?), ref: 006C224D
GetSubMenu.USER32(?,?), ref: 006C225B

Part of subcall function 00693A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00693A57
Part of subcall function 00693A3D: GetCurrentThreadId.KERNEL32 ref: 00693A5E
Part of subcall function 00693A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006925B3), ref: 00693A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006C22E3

Part of subcall function 0069E97B: Sleep.KERNEL32 ref: 0069E9F3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: c3d14e5f5f590192d19ff6a1462e0b425ebfb988ac2781dd12e1eae0a068105b
Instruction ID: 3fa1aab453883d1625762fdbe870ccda472b6a251c79a5a2048999f6ebb9af0e
Opcode Fuzzy Hash: c3d14e5f5f590192d19ff6a1462e0b425ebfb988ac2781dd12e1eae0a068105b
Instruction Fuzzy Hash: 6B716D75A00216AFCB54EF64C851EBEB7F6EF88320F14845DE916AB341DB34EE418B90

Function 0069AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0069AEF9
GetKeyboardState.USER32(?), ref: 0069AF0E
SetKeyboardState.USER32(?), ref: 0069AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0069AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0069AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0069AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0069B020

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f01172435494d1d9c52be9113ce2a7c0e960c72cd347995cc4f0cd3225d9fc05
Instruction ID: 1a58bc9beb5a705c7a9de6a29e2fc8b0607954c56b41e211fd6c9f0b98e824c3
Opcode Fuzzy Hash: f01172435494d1d9c52be9113ce2a7c0e960c72cd347995cc4f0cd3225d9fc05
Instruction Fuzzy Hash: 4651DFA0A047D53DFF3683748D49BFABEEE5B06304F089589E1D985DC2C398A8C8D791

Function 0069ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0069AD19
GetKeyboardState.USER32(?), ref: 0069AD2E
SetKeyboardState.USER32(?), ref: 0069AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0069ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0069ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0069AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0069AE38

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 3d44e88c053cfbaf5f47588f24bb6a4b64166cac5ac40b14cd2b0a5ad55d2b14
Instruction ID: a8cf5443ea220622814dbb3e948f9a14d31fc91173ca60c3128664f46ee4cda6
Opcode Fuzzy Hash: 3d44e88c053cfbaf5f47588f24bb6a4b64166cac5ac40b14cd2b0a5ad55d2b14
Instruction Fuzzy Hash: 0C51E5B05047D13DFF3683A48C45BBA7EEE5F46300F088488E1D546DC2C294EC88E792

Function 0066542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00673CD6,?,?,?,?,?,?,?,?,00665BA3,?,?,00673CD6,?,?), ref: 00665470
__fassign.LIBCMT ref: 006654EB
__fassign.LIBCMT ref: 00665506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00673CD6,00000005,00000000,00000000), ref: 0066552C
WriteFile.KERNEL32(?,00673CD6,00000000,00665BA3,00000000,?,?,?,?,?,?,?,?,?,00665BA3,?), ref: 0066554B
WriteFile.KERNEL32(?,?,00000001,00665BA3,00000000,?,?,?,?,?,?,?,?,?,00665BA3,?), ref: 00665584

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 50a0c581095cb575df0d23125b02ea1868adacdefcf7af8a8bb9ea551f9b6bd5
Instruction ID: dec3dd0436dcbab47e344bef4bfa9b47e8292357864890b547592ed99d1c1830
Opcode Fuzzy Hash: 50a0c581095cb575df0d23125b02ea1868adacdefcf7af8a8bb9ea551f9b6bd5
Instruction Fuzzy Hash: 4B51A3B1A006499FDB10CFA8D846AEEBBFAEF09310F14415EF556E7291D730AA41CB64

Function 006B10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006B304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006B307A
Part of subcall function 006B304E: _wcslen.LIBCMT ref: 006B309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006B1112
WSAGetLastError.WSOCK32 ref: 006B1121
WSAGetLastError.WSOCK32 ref: 006B11C9
closesocket.WSOCK32(00000000), ref: 006B11F9

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 076cb180292e099519fd402c0ca5df0542a60f64c4738d6f7d73b570541e621c
Instruction ID: 4aa907dc407fb77d828356900631aa0b987e8706b622180b3e8e46318760206a
Opcode Fuzzy Hash: 076cb180292e099519fd402c0ca5df0542a60f64c4738d6f7d73b570541e621c
Instruction Fuzzy Hash: C341D475600214AFDB109F18C894BEABBEBEF46364F548059F9199F391C770AD81CBE1

Function 0069CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0069DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0069CF22,?), ref: 0069DDFD

Part of subcall function 0069DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0069CF22,?), ref: 0069DE16

lstrcmpiW.KERNEL32(?,?), ref: 0069CF45
MoveFileW.KERNEL32(?,?), ref: 0069CF7F
_wcslen.LIBCMT ref: 0069D005
_wcslen.LIBCMT ref: 0069D01B
SHFileOperationW.SHELL32(?), ref: 0069D061

Strings

\*.*, xrefs: 0069CFF3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 2439aefa657aa49cb3280b62c1e306a287b143aa336d5513c237c05c568db5e0
Instruction ID: 369dbb3c70b711e545db354e59c3ca65ce517f84e2c6cbb1b23a9a8c7a51c1aa
Opcode Fuzzy Hash: 2439aefa657aa49cb3280b62c1e306a287b143aa336d5513c237c05c568db5e0
Instruction Fuzzy Hash: 034158719051185FDF52EFA4D981EEDB7BEAF44390F0000EAE509EB641EA34A788CB54

Function 006C2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 006C2E1C
GetWindowLongW.USER32(?,000000F0), ref: 006C2E4F
GetWindowLongW.USER32(?,000000F0), ref: 006C2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 006C2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 006C2EE0
GetWindowLongW.USER32(?,000000F0), ref: 006C2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006C2F0B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: c0c3bf3f227dce81e1922cdecbde1ad0d65cfcda22eaeacc183f030515827d2e
Instruction ID: cf94f50da91627dcf7eac0d7216ede849df9e0c44ddaf5408eae97f73bb2742d
Opcode Fuzzy Hash: c0c3bf3f227dce81e1922cdecbde1ad0d65cfcda22eaeacc183f030515827d2e
Instruction Fuzzy Hash: 6E311230644256EFDB20DF18DCA4FA537E2EB8A720F1541A8FA04EB2B1CB71A8409B40

Function 00697726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00697769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0069778F
SysAllocString.OLEAUT32(00000000), ref: 00697792
SysAllocString.OLEAUT32(?), ref: 006977B0
SysFreeString.OLEAUT32(?), ref: 006977B9
StringFromGUID2.OLE32(?,?,00000028), ref: 006977DE
SysAllocString.OLEAUT32(?), ref: 006977EC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 27acd26a3c8a023301a225c16d1055b878c584b424d52e345272b1187eda5463
Instruction ID: e540ec056a30c53b76db281dfec17a50c06341d9f771a2e1ff3713b4d382d224
Opcode Fuzzy Hash: 27acd26a3c8a023301a225c16d1055b878c584b424d52e345272b1187eda5463
Instruction Fuzzy Hash: 81219076614219AFDF10DFA9CC88CFB77EEEB097647048025FA19DB260D670DC428764

Function 006977FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00697842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00697868
SysAllocString.OLEAUT32(00000000), ref: 0069786B
SysAllocString.OLEAUT32 ref: 0069788C
SysFreeString.OLEAUT32 ref: 00697895
StringFromGUID2.OLE32(?,?,00000028), ref: 006978AF
SysAllocString.OLEAUT32(?), ref: 006978BD

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5afde3d7e82c2eb864f1a43ce111c06cd659af20378d23345e2c5ad54ba7efbb
Instruction ID: 51a949106dcf3d48006ccaee966d6270df876530fb7625ad6772c66c5002abbf
Opcode Fuzzy Hash: 5afde3d7e82c2eb864f1a43ce111c06cd659af20378d23345e2c5ad54ba7efbb
Instruction Fuzzy Hash: D9216D31618204AFDF10AFA8DD88DBA77EEEB097607148135F915CB6A1DA70DC41CB64

Function 006A04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006A04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006A052E

Strings

nul, xrefs: 006A0567

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5f3e948519c3595557d64c93c442404c417648f5f5876888ef8912540cb4cfbb
Instruction ID: 539ffce12801f324f5b7b6424206b821de2018c5d84199edecf348f850a6442c
Opcode Fuzzy Hash: 5f3e948519c3595557d64c93c442404c417648f5f5876888ef8912540cb4cfbb
Instruction Fuzzy Hash: 9021A2709003059FEF20AF29DD04AAA7BB6AF46764F204A18F8A1D22E0D7709D40CF20

Function 006A05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006A05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006A0601

Strings

nul, xrefs: 006A0639

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 499346446244118eedad5688768451772580032636a73f2fa4d2c3d3cb589fad
Instruction ID: ba31994ef18e0d26a02a81f4318494c6fee7e49f3d1d90b87699c1fd8be85a0d
Opcode Fuzzy Hash: 499346446244118eedad5688768451772580032636a73f2fa4d2c3d3cb589fad
Instruction Fuzzy Hash: 9C2153755003059BEB20AF69DC04EAA77E6BF96734F201A19F9A1E72D0D7709D61CF10

Function 006C40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0063600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0063604C
Part of subcall function 0063600E: GetStockObject.GDI32(00000011), ref: 00636060
Part of subcall function 0063600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0063606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006C4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006C411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006C412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006C4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006C4145

Strings

Msctls_Progress32, xrefs: 006C40E3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 560de40bf705cb79d003f88fc7c655ce3a7fc5e650142f5a1104d5dd15b90393
Instruction ID: ef84000ba22a23cfe70ff1147e807a34a0bb0ab34494c6ff1efe8d5a1824428b
Opcode Fuzzy Hash: 560de40bf705cb79d003f88fc7c655ce3a7fc5e650142f5a1104d5dd15b90393
Instruction Fuzzy Hash: 5A1193B1140119BEEF118F64CC85EF77F9EEF08798F014111FA18A2150CA769C21DBA4

Function 0066D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0066D7A3: _free.LIBCMT ref: 0066D7CC

_free.LIBCMT ref: 0066D82D

Part of subcall function 006629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000), ref: 006629DE
Part of subcall function 006629C8: GetLastError.KERNEL32(00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000,00000000), ref: 006629F0

_free.LIBCMT ref: 0066D838
_free.LIBCMT ref: 0066D843
_free.LIBCMT ref: 0066D897
_free.LIBCMT ref: 0066D8A2
_free.LIBCMT ref: 0066D8AD
_free.LIBCMT ref: 0066D8B8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 5ac71e68ee72cf17c80c0afab7efffc9d34396453aad71ed1b2e5e4c28630cab
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: DA115E71B40B04ABD6A1BFB1CC47FCB7FDEAF40B00F44092DB299A6092DA65F5058665

Function 0069DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0069DA74
LoadStringW.USER32(00000000), ref: 0069DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0069DA91
LoadStringW.USER32(00000000), ref: 0069DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0069DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0069DAB9

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: fb6924840cfd3bbd1395ca0cca18ea532f279d862c1826664c41b32831be6312
Instruction ID: 940bbd5a71df34d43ac54c612a2e50c09ef76ef1204991dcc6329b49427b1d27
Opcode Fuzzy Hash: fb6924840cfd3bbd1395ca0cca18ea532f279d862c1826664c41b32831be6312
Instruction Fuzzy Hash: 950186F25002087FEB10ABA4DD89EF7376DE708311F4054A6F74AE2141EA749E854F74

Function 006A096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(013FEB40,013FEB40), ref: 006A097B
EnterCriticalSection.KERNEL32(013FEB20,00000000), ref: 006A098D
TerminateThread.KERNEL32(?,000001F6), ref: 006A099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 006A09A9
CloseHandle.KERNEL32(?), ref: 006A09B8
InterlockedExchange.KERNEL32(013FEB40,000001F6), ref: 006A09C8
LeaveCriticalSection.KERNEL32(013FEB20), ref: 006A09CF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 95b61838fd2cae543868a3728cf7dd86e971ea0f80af8f915104836abc60f511
Instruction ID: 6b806664754e569718a831f88984e32a31566db31b7c42bf2ed292a726625780
Opcode Fuzzy Hash: 95b61838fd2cae543868a3728cf7dd86e971ea0f80af8f915104836abc60f511
Instruction Fuzzy Hash: 9AF01D31442902ABE7415B94EE88EE6BA26FF01712F403015F105908A0C7749965DF90

Function 006B1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006B1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006B1DE1
WSAGetLastError.WSOCK32 ref: 006B1DF2
htons.WSOCK32(?,?,?,?,?), ref: 006B1EDB
inet_ntoa.WSOCK32(?), ref: 006B1E8C

Part of subcall function 006939E8: _strlen.LIBCMT ref: 006939F2

Part of subcall function 006B3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,006AEC0C), ref: 006B3240

_strlen.LIBCMT ref: 006B1F35

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 023666e98caf0e62ce62fb9321ec1a80dcb0c78ef692064c595d754f27908024
Instruction ID: 06095bc30081319ad430beb5c65667d77153f976831708c0a1e299c37e3d90f6
Opcode Fuzzy Hash: 023666e98caf0e62ce62fb9321ec1a80dcb0c78ef692064c595d754f27908024
Instruction Fuzzy Hash: 59B1C170204300AFD324DF24C895EAA7BEAAF85318F94854CF5565F3A2CB71ED86CB91

Function 00635D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00635D30
GetWindowRect.USER32(?,?), ref: 00635D71
ScreenToClient.USER32(?,?), ref: 00635D99
GetClientRect.USER32(?,?), ref: 00635ED7
GetWindowRect.USER32(?,?), ref: 00635EF8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9c0d3345a64a6d0f49a824b6b3bb10bbd82a343cc3da7f7847379e0dcd6a81d3
Instruction ID: cd41b90beb72414225866b8d9738002a0c7d2841a6c95fd59367474c107f3ee7
Opcode Fuzzy Hash: 9c0d3345a64a6d0f49a824b6b3bb10bbd82a343cc3da7f7847379e0dcd6a81d3
Instruction Fuzzy Hash: 00B16835A0074ADBDB10CFA9C4847EAB7F2FF48310F14941AE8AAD7250DB34EA51DB94

Function 006601B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006600BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006600D6
__allrem.LIBCMT ref: 006600ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0066010B
__allrem.LIBCMT ref: 00660122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00660140

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: a1c6192f77c7afdae5a00931750a33ba6e247c02c993b887eb00343520e82c86
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 5F81E672A00706ABE7249F69CC41BABB3EBAF42324F24453EF951DB781E770D9448794

Function 006661FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006582D9,006582D9,?,?,?,0066644F,00000001,00000001,8BE85006), ref: 00666258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0066644F,00000001,00000001,8BE85006,?,?,?), ref: 006662DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006663D8
__freea.LIBCMT ref: 006663E5

Part of subcall function 00663820: RtlAllocateHeap.NTDLL(00000000,?,00701444,?,0064FDF5,?,?,0063A976,00000010,00701440,006313FC,?,006313C6,?,00631129), ref: 00663852

__freea.LIBCMT ref: 006663EE
__freea.LIBCMT ref: 00666413

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 9d85ed646d03b093a8aba82df0cfa2790f2e5b0b7c96c9db98d27979596d0233
Instruction ID: 7a0dff287d12049d168146d9f2c058a70deec6726ccd5eb38d63b0e41264a5a1
Opcode Fuzzy Hash: 9d85ed646d03b093a8aba82df0cfa2790f2e5b0b7c96c9db98d27979596d0233
Instruction Fuzzy Hash: 9C51B172600256ABEB258F64EC81EFF77ABEF45750F154629FC05EA240EB34DD41C6A0

Function 006BBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Part of subcall function 006BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006BB6AE,?,?), ref: 006BC9B5
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BC9F1
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BCA68
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006BBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006BBD25
RegCloseKey.ADVAPI32(00000000), ref: 006BBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006BBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006BBDF3
RegCloseKey.ADVAPI32(?), ref: 006BBDFF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: edd9ad6df3deb0c4d659ec0c9f34f30ede36aad0c43c7a6b5261c0a2312fe802
Instruction ID: 91acd81dd61a7aafbde48269fe35c0ae7c6c276690f4f132c1760f29b0e0f486
Opcode Fuzzy Hash: edd9ad6df3deb0c4d659ec0c9f34f30ede36aad0c43c7a6b5261c0a2312fe802
Instruction Fuzzy Hash: 3F81C270208241EFD714DF24C891EAABBE6FF84318F14995CF4994B2A2CB71ED45CB92

Function 0068F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0068F7B9
SysAllocString.OLEAUT32(00000001), ref: 0068F860
VariantCopy.OLEAUT32(0068FA64,00000000), ref: 0068F889
VariantClear.OLEAUT32(0068FA64), ref: 0068F8AD
VariantCopy.OLEAUT32(0068FA64,00000000), ref: 0068F8B1
VariantClear.OLEAUT32(?), ref: 0068F8BB

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: fc57a32103499fb5b48540e82cd483b5b26d7e9682fa0c6d02d597fc5ed56271
Instruction ID: 744674723c02424d745db3d2df41f69d99708f45af861770ae7bb5e2c168743e
Opcode Fuzzy Hash: fc57a32103499fb5b48540e82cd483b5b26d7e9682fa0c6d02d597fc5ed56271
Instruction Fuzzy Hash: 2D51B731A00310BACF64BF65D895B69B3E7EF45310F24956BE905EF291DB708C41CBAA

Function 006A910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00637620: _wcslen.LIBCMT ref: 00637625

Part of subcall function 00636B57: _wcslen.LIBCMT ref: 00636B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 006A94E5
_wcslen.LIBCMT ref: 006A9506
_wcslen.LIBCMT ref: 006A952D
GetSaveFileNameW.COMDLG32(00000058), ref: 006A9585

Strings

X, xrefs: 006A9412

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 515369490256361da5c3cc2a9fd48310150a57cf30fc19a53e7f9e682b0a6cc1
Instruction ID: b2a3cd4d99902eec7db1e2c249be0c27da1848d12c7fcccc93e3afe255ac2019
Opcode Fuzzy Hash: 515369490256361da5c3cc2a9fd48310150a57cf30fc19a53e7f9e682b0a6cc1
Instruction Fuzzy Hash: F9E181319083509FD764EF24C481A6AB7E2BF85314F14896DF8899B3A2DB31DD05CFA6

Function 0064920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00649BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00649BB2

BeginPaint.USER32(?,?,?), ref: 00649241
GetWindowRect.USER32(?,?), ref: 006492A5
ScreenToClient.USER32(?,?), ref: 006492C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 006492D3
EndPaint.USER32(?,?,?,?,?), ref: 00649321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 006871EA

Part of subcall function 00649339: BeginPath.GDI32(00000000), ref: 00649357

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 5c033eca0e0f4abf6b6898d88fb37703c1f93876195a1cf9357913b604c96b2a
Instruction ID: bda3ec896babdc9ba1d21f1daf805be0366f72daa07c9b6374aad90e90ccbae0
Opcode Fuzzy Hash: 5c033eca0e0f4abf6b6898d88fb37703c1f93876195a1cf9357913b604c96b2a
Instruction Fuzzy Hash: 4C419D30144240EFD721DF25CC88FBB7BAAEF86324F144269F994872E1CB71A945DB61

Function 006A07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006A080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 006A0847
EnterCriticalSection.KERNEL32(?), ref: 006A0863
LeaveCriticalSection.KERNEL32(?), ref: 006A08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 006A08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 006A0921

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: b573623ab371ac291e3bd99637986a9b9156a0f47b0d2c225a200a5333a8f9c2
Instruction ID: eaf372dd3a4977587e7cef7da65df868ee3978866f7c097251f82ac181342373
Opcode Fuzzy Hash: b573623ab371ac291e3bd99637986a9b9156a0f47b0d2c225a200a5333a8f9c2
Instruction Fuzzy Hash: 0B418971900205EFEF04AF54DC85AAAB7BAFF05310F1440A9ED049A297DB34EE65DBA4

Function 006C81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0068F3AB,00000000,?,?,00000000,?,0068682C,00000004,00000000,00000000), ref: 006C824C
EnableWindow.USER32(?,00000000), ref: 006C8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 006C82D1
ShowWindow.USER32(?,00000004), ref: 006C82E5
EnableWindow.USER32(?,00000001), ref: 006C830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 006C832F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: aca1819a518423e9285c4dccde99b747d07472688694b13181b5e6854c7e05f4
Instruction ID: 34e0296d85d26f7c9d415a10b9cde3696c444b11e0d0cbd22ed8c34e6e6ff788
Opcode Fuzzy Hash: aca1819a518423e9285c4dccde99b747d07472688694b13181b5e6854c7e05f4
Instruction Fuzzy Hash: 22418E34601684EFDB21CF55C899FF47BE2FB4A714F1852ADE5084B2A2CB35A941CB94

Function 00694C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00694C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00694CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00694CEA
_wcslen.LIBCMT ref: 00694D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00694D10
_wcsstr.LIBVCRUNTIME ref: 00694D1A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 127593c4af7a94db42d439d2894479e592002ac7011a745ffc5d4967ae490548
Instruction ID: b09b61f8307ab9e6de0cfc4a6b2bf4ba6d492ed3ee07d4250eac5c9a1ec43381
Opcode Fuzzy Hash: 127593c4af7a94db42d439d2894479e592002ac7011a745ffc5d4967ae490548
Instruction Fuzzy Hash: 7621F935604200BBEF155B35DD49E7B7B9EDF45760F10402DF809CA291EE61DC4296A0

Function 006A581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00633AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00633A97,?,?,00632E7F,?,?,?,00000000), ref: 00633AC2

_wcslen.LIBCMT ref: 006A587B
CoInitialize.OLE32(00000000), ref: 006A5995
CoCreateInstance.OLE32(006CFCF8,00000000,00000001,006CFB68,?), ref: 006A59AE
CoUninitialize.OLE32 ref: 006A59CC

Strings

.lnk, xrefs: 006A5876, 006A58C1, 006A5985

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: e00d5a1a9fc48b156b72a67f80484215924bc2f7bfddc327c93efeb368947295
Instruction ID: a48a87345789874e3c66622fc1bef3c8db4c3f8a1686f4a88e23f827ae9cb3a1
Opcode Fuzzy Hash: e00d5a1a9fc48b156b72a67f80484215924bc2f7bfddc327c93efeb368947295
Instruction Fuzzy Hash: 36D144756086019FC714EF15C490A6ABBE6FF8A720F14885DF88A9B361DB31EC45CF92

Function 0069175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00690FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00690FCA
Part of subcall function 00690FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00690FD6
Part of subcall function 00690FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00690FE5
Part of subcall function 00690FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00690FEC
Part of subcall function 00690FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00691002

GetLengthSid.ADVAPI32(?,00000000,00691335), ref: 006917AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006917BA
HeapAlloc.KERNEL32(00000000), ref: 006917C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 006917DA
GetProcessHeap.KERNEL32(00000000,00000000,00691335), ref: 006917EE
HeapFree.KERNEL32(00000000), ref: 006917F5

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7b5675f80dc0f669d4937243d7ee998254505acad5d7c43f2682ac07928bfac3
Instruction ID: 9e48a3e1659e810a77a9cdd592359de6eaa93ceb10556cc301088cee8d520f71
Opcode Fuzzy Hash: 7b5675f80dc0f669d4937243d7ee998254505acad5d7c43f2682ac07928bfac3
Instruction Fuzzy Hash: 28116A32600606EFDF109FA5CC49FFE7BAEEB46365F244018F4459B620D736AA45DB60

Function 006914CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006914FF
OpenProcessToken.ADVAPI32(00000000), ref: 00691506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00691515
CloseHandle.KERNEL32(00000004), ref: 00691520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0069154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00691563

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b0c7079e5afc7de5748f68d250af9afe378a67d803cb0fb98afa4703337ceabf
Instruction ID: 4d4b5fe76455b676267084c0bb1d4704adbad01d74ce14aca1b819a99e70f901
Opcode Fuzzy Hash: b0c7079e5afc7de5748f68d250af9afe378a67d803cb0fb98afa4703337ceabf
Instruction Fuzzy Hash: 85114AB250020AABDF11CF94DD49FEA7BAEFB49754F154014FA09A6160C3758E619B60

Function 00653382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00653379,00652FE5), ref: 00653390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0065339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006533B7
SetLastError.KERNEL32(00000000,?,00653379,00652FE5), ref: 00653409

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 098918a62ca660c515a29802b31a8f4629ca580a68ab9f27ab6b5b76c3f57532
Instruction ID: d87b8a2b503d6e2a544bfa48efde14151040390cd1f4c345aec2eb15b378f99d
Opcode Fuzzy Hash: 098918a62ca660c515a29802b31a8f4629ca580a68ab9f27ab6b5b76c3f57532
Instruction Fuzzy Hash: 1201B532609335AEE7552774BD959B62A97DB15BFBF20022DFC10853F0EF124D0A9548

Function 00662D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00665686,00673CD6,?,00000000,?,00665B6A,?,?,?,?,?,0065E6D1,?,006F8A48), ref: 00662D78
_free.LIBCMT ref: 00662DAB
_free.LIBCMT ref: 00662DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0065E6D1,?,006F8A48,00000010,00634F4A,?,?,00000000,00673CD6), ref: 00662DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0065E6D1,?,006F8A48,00000010,00634F4A,?,?,00000000,00673CD6), ref: 00662DEC
_abort.LIBCMT ref: 00662DF2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 79df11afdf8becf11b6d6bb8b59587db6f600947e61d7904dbc6f2853f2927d8
Instruction ID: 84ef3c46291a669d2e4dd12e9c222b46090dcdf1a71065c097458539f31dc03c
Opcode Fuzzy Hash: 79df11afdf8becf11b6d6bb8b59587db6f600947e61d7904dbc6f2853f2927d8
Instruction Fuzzy Hash: 92F0C831A04E4367C3526739BC36EAE255FAFC27B1F25051CF828923D2EF2489025264

Function 006C8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00649639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00649693
Part of subcall function 00649639: SelectObject.GDI32(?,00000000), ref: 006496A2
Part of subcall function 00649639: BeginPath.GDI32(?), ref: 006496B9
Part of subcall function 00649639: SelectObject.GDI32(?,00000000), ref: 006496E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 006C8A4E
LineTo.GDI32(?,00000003,00000000), ref: 006C8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 006C8A70
LineTo.GDI32(?,00000000,00000003), ref: 006C8A80
EndPath.GDI32(?), ref: 006C8A90
StrokePath.GDI32(?), ref: 006C8AA0

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 95df582d864c9f61c03b1cf2fdeae83e50bac5da9f9bbf8b8780d89beb6a280e
Instruction ID: 9b51ea21ac2c3e9ea560ad0f1914b36f3ed4f2c87e68c3b5f967e96433b17d10
Opcode Fuzzy Hash: 95df582d864c9f61c03b1cf2fdeae83e50bac5da9f9bbf8b8780d89beb6a280e
Instruction Fuzzy Hash: 47110C76500148FFDB119F90DC48EEA7F6DEB04364F048015FA5996161C7729D55DFA0

Function 006951FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00695218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00695229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00695230
ReleaseDC.USER32(00000000,00000000), ref: 00695238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0069524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00695261

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 8ce79ec3487a0904cac93e92676bdf2579667c82b1985c9c097b73590c67d13b
Instruction ID: a8ad2170a3681884bed36e813a93e36a87ea2eaa006833deba603589be4332b4
Opcode Fuzzy Hash: 8ce79ec3487a0904cac93e92676bdf2579667c82b1985c9c097b73590c67d13b
Instruction Fuzzy Hash: D4018475A01704BBEF105BA69C49E5EBF79EB44361F044066FA09A7280D6709900CB60

Function 00631BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00631BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00631BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00631C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00631C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00631C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00631C22

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 401b396637d4de2aa52170343409ac3a33a33dc9aa844efa54036d259ee5d8ea
Instruction ID: 5f8d45e1b26a60ec8e1f6ea8ac9c405bd6fa4b597f38a7d2339b0a1d449ebdea
Opcode Fuzzy Hash: 401b396637d4de2aa52170343409ac3a33a33dc9aa844efa54036d259ee5d8ea
Instruction Fuzzy Hash: B40167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BE15C4BA42C7F5A864CBE5

Function 0069EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0069EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0069EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0069EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0069EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0069EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0069EB75

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 86c5c9c2b677bc55e36a366e131dcb60c2f5ab323af713521cdf46cf40f021a6
Instruction ID: 2fd2cdd5cf60b1c2a907e383c312e3e9bb1b92b661a1127d5aa44c6ea7c04c23
Opcode Fuzzy Hash: 86c5c9c2b677bc55e36a366e131dcb60c2f5ab323af713521cdf46cf40f021a6
Instruction Fuzzy Hash: 5BF0BE72600558BBE7205B639D0EEFF3E7DEFCAB25F001158F605D1490D7A01A01C6B4

Function 00687439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00687452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00687469
GetWindowDC.USER32(?), ref: 00687475
GetPixel.GDI32(00000000,?,?), ref: 00687484
ReleaseDC.USER32(?,00000000), ref: 00687496
GetSysColor.USER32(00000005), ref: 006874B0

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 11451fa52282c2053de03c255314352f6b0b4afe8689ecd951dee76200721c60
Instruction ID: ede9d0444b83058bd9d1cbe3e67b81e87ac5486999e9e3e0282e2d60e95bb35e
Opcode Fuzzy Hash: 11451fa52282c2053de03c255314352f6b0b4afe8689ecd951dee76200721c60
Instruction Fuzzy Hash: A7014B31400215EFDB51AFA4DD08FFE7BB6FB04321F655164F919A21A1CB316E52AB50

Function 00691874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0069187F
UnloadUserProfile.USERENV(?,?), ref: 0069188B
CloseHandle.KERNEL32(?), ref: 00691894
CloseHandle.KERNEL32(?), ref: 0069189C
GetProcessHeap.KERNEL32(00000000,?), ref: 006918A5
HeapFree.KERNEL32(00000000), ref: 006918AC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 5d608b9ceba4c780e3d9c17948daa84e335c2087f3b2fd4ab92b7c3c9b822cda
Instruction ID: 52d2bbf725a907b2efd2ce45542b7242bd1ea9397fa8d6adee914378a3982bc8
Opcode Fuzzy Hash: 5d608b9ceba4c780e3d9c17948daa84e335c2087f3b2fd4ab92b7c3c9b822cda
Instruction Fuzzy Hash: CAE0C236404901BBDB015BA2ED0CD1ABB2AFB49B32B109220F229C1870CB329420EB60

Function 0063BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0063BEB3

Strings

D%pD%p, xrefs: 0063BCA5
D%p, xrefs: 0063BCA2
D%p, xrefs: 0063BDED, 0063BD91, 0063BD1B
D%p, xrefs: 0063BE9A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%p$D%p$D%p$D%pD%p
API String ID: 1385522511-3296756584
Opcode ID: b1a00621a1043fe36e9f04ded98f818f9fc1729447c8d9423193537e18f50da8
Instruction ID: 9d456e959021082e22f2cec1f720a39590c2280484583b9432abf9732a04e4a0
Opcode Fuzzy Hash: b1a00621a1043fe36e9f04ded98f818f9fc1729447c8d9423193537e18f50da8
Instruction Fuzzy Hash: B5914A75A0020ACFCB28CF58C4916A9B7F2FF58314F24A16EDA45AB351D771E982CBD4

Function 006B7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00650242: EnterCriticalSection.KERNEL32(0070070C,00701884,?,?,0064198B,00702518,?,?,?,006312F9,00000000), ref: 0065024D
Part of subcall function 00650242: LeaveCriticalSection.KERNEL32(0070070C,?,0064198B,00702518,?,?,?,006312F9,00000000), ref: 0065028A

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Part of subcall function 006500A3: __onexit.LIBCMT ref: 006500A9

__Init_thread_footer.LIBCMT ref: 006B7BFB

Part of subcall function 006501F8: EnterCriticalSection.KERNEL32(0070070C,?,?,00648747,00702514), ref: 00650202
Part of subcall function 006501F8: LeaveCriticalSection.KERNEL32(0070070C,?,00648747,00702514), ref: 00650235

Strings

+Th, xrefs: 006B7E2E
5, xrefs: 006B7C78
Variable must be of type 'Object'., xrefs: 006B7C3A
G, xrefs: 006B7C7F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Th$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3802862433
Opcode ID: 61861f261683785e1347ab83e4a0d72e887d8b0402fa9a12f893fcc3958d66c7
Instruction ID: 2b4353b75cc87b5c688d85f0c8d10c027345224a1a7fcda4b5c0e0744e5b7a31
Opcode Fuzzy Hash: 61861f261683785e1347ab83e4a0d72e887d8b0402fa9a12f893fcc3958d66c7
Instruction Fuzzy Hash: 4B9169B0A04209AFCB14EF94D8919EDBBB2EF84340F10805DF8069B392DB71AE81CB55

Function 0069C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00637620: _wcslen.LIBCMT ref: 00637625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0069C6EE
_wcslen.LIBCMT ref: 0069C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0069C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0069C7CA

Strings

0, xrefs: 0069C6AF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 40943220b9c828937a00230bd6a558ae63e9bae7ed6e0245a792d7c26ec1d595
Instruction ID: ee84b3c510d12959e9e622422b7374f3956d899c6e19ad21a11639f541f1ee87
Opcode Fuzzy Hash: 40943220b9c828937a00230bd6a558ae63e9bae7ed6e0245a792d7c26ec1d595
Instruction Fuzzy Hash: 8D51F1716043009BDB509F68C885BAB77EEAF49320F040A2DF995D7AD0DB74D804DB96

Function 006BAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 006BAEA3

Part of subcall function 00637620: _wcslen.LIBCMT ref: 00637625

GetProcessId.KERNEL32(00000000), ref: 006BAF38
CloseHandle.KERNEL32(00000000), ref: 006BAF67

Strings

<, xrefs: 006BAE6B
@, xrefs: 006BAE72

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: d62d0735b61ada89191d43ba765424c2c22707097463707079a2125271948008
Instruction ID: 66c3180b962e26fe50efd90d33ff5f7bb5ad55639e633ca268ffe27dd56965a6
Opcode Fuzzy Hash: d62d0735b61ada89191d43ba765424c2c22707097463707079a2125271948008
Instruction Fuzzy Hash: D67168B1A00619DFCB14DF94C484A9EBBF2BF08310F04849DE856AB362CB75ED85CB95

Function 0069719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00697206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0069723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0069724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006972CF

Strings

DllGetClassObject, xrefs: 00697242

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 0c3bc331a6105f36d0c694b402ea4dc780510cff346b17d9f11db257aa0ebde6
Instruction ID: 4cd26c8b32087e9b193c6646c5f30a94cd99158c0e9e38bd41f08aa237d634de
Opcode Fuzzy Hash: 0c3bc331a6105f36d0c694b402ea4dc780510cff346b17d9f11db257aa0ebde6
Instruction Fuzzy Hash: 35415071624204DFDF15CF54C884AAA7BAEEF44710F1580AEFD059F60AD7B1DA45CBA0

Function 006C3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006C3E35
IsMenu.USER32(?), ref: 006C3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006C3E92
DrawMenuBar.USER32 ref: 006C3EA5

Strings

0, xrefs: 006C3D89

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: bb8ff13b504074f6c8578c2cf0bbb934bf561a9a054455e002b24f879c0f6284
Instruction ID: 9dee71c912b263ac9a2af47afd5c9ae5a975eecd0bc74769b1946efcbc93be03
Opcode Fuzzy Hash: bb8ff13b504074f6c8578c2cf0bbb934bf561a9a054455e002b24f879c0f6284
Instruction Fuzzy Hash: 51413675A00219EFDB10DF50D884EEABBBAFF49364F04816EE905A7350D730AE55CBA0

Function 00691DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Part of subcall function 00693CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00693CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00691E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00691E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00691EA9

Part of subcall function 00636B57: _wcslen.LIBCMT ref: 00636B6A

Strings

ComboBox, xrefs: 00691DF0
ListBox, xrefs: 00691E25

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 60f0673522dc0a0a43da7a608b9bd29f0b73670f6be5831430dd633fd8a94b1a
Instruction ID: 8248cf6d09054c5d7a1f1116d797c65019e0748587fa4bbecdaf7a6e5d5c924a
Opcode Fuzzy Hash: 60f0673522dc0a0a43da7a608b9bd29f0b73670f6be5831430dd633fd8a94b1a
Instruction Fuzzy Hash: EC212671A00104BADF149B60CC45CFFBBBFDF42360F20411DF815A76E0DB7449068A60

Function 006C2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006C2F8D
LoadLibraryW.KERNEL32(?), ref: 006C2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006C2FA9
DestroyWindow.USER32(?), ref: 006C2FB1

Strings

SysAnimate32, xrefs: 006C2F68

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 07d4307deba13bea37ee4488ac1d84233332dd8eb16b93c5807c3651ff06f828
Instruction ID: 02b0680ea10bbeeac24aa83e116a62b871f01c0efa7951e08d7e2adf6b7dba67
Opcode Fuzzy Hash: 07d4307deba13bea37ee4488ac1d84233332dd8eb16b93c5807c3651ff06f828
Instruction Fuzzy Hash: 2E21DC7124020AABEB208F64DCA0FBB37BEEB58324F10521CFE20D2290C731DC419760

Function 00654D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00654D1E,006628E9,?,00654CBE,006628E9,006F88B8,0000000C,00654E15,006628E9,00000002), ref: 00654D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00654DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00654D1E,006628E9,?,00654CBE,006628E9,006F88B8,0000000C,00654E15,006628E9,00000002,00000000), ref: 00654DC3

Strings

mscoree.dll, xrefs: 00654D86
CorExitProcess, xrefs: 00654D98

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 12a3d9d8d89b54efab13fe1a1b2fb60884e2a4f6a6153048c09efe9935282582
Instruction ID: bff3eba58b4085affde322c26a6174dfe9fca2e136bd60adc35fe8cd9005cb71
Opcode Fuzzy Hash: 12a3d9d8d89b54efab13fe1a1b2fb60884e2a4f6a6153048c09efe9935282582
Instruction Fuzzy Hash: 68F04434940208BBEB115F95DC49FEDBFB6EF44766F040195FC09A6650CF315984CA90

Function 00634E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00634EDD,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00634EAE
FreeLibrary.KERNEL32(00000000,?,?,00634EDD,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00634EA8
kernel32.dll, xrefs: 00634E94

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: d48e710edfdf4c339f571d78b4a2bb2318ab1331c2af5cd9ebac66d5b55353b0
Instruction ID: df61961f3e8c086b1c0dd2f398b967eedef4a1db5b6fa47ac07470d7c19f382b
Opcode Fuzzy Hash: d48e710edfdf4c339f571d78b4a2bb2318ab1331c2af5cd9ebac66d5b55353b0
Instruction Fuzzy Hash: 4FE08635E016225BD32117266C18FBBA556AFC1B72B090115FD08D2310DF60DD0640E0

Function 00634E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00673CDE,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00634E74
FreeLibrary.KERNEL32(00000000,?,?,00673CDE,?,00701418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00634E87

Strings

kernel32.dll, xrefs: 00634E5B
Wow64RevertWow64FsRedirection, xrefs: 00634E6E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: e089f4cbdade61bd638d4c740e834c0cd9f93432cf2a0605961d081a0f861985
Instruction ID: 53bf2c0137099204c53f70a7ee919b3d965e6e5990f9f9ab50b94ddb1a7750cc
Opcode Fuzzy Hash: e089f4cbdade61bd638d4c740e834c0cd9f93432cf2a0605961d081a0f861985
Instruction Fuzzy Hash: AFD0123690263157D7221B66AC18EEBAA1BAF85F7170A0515F909A2214CF60DD0285D0

Function 006A2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006A2C05
DeleteFileW.KERNEL32(?), ref: 006A2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006A2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006A2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006A2CC0

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: abac32cd81aba8410bc1eaa9c8d805f4402f003bb99cf006e81213fc1664d456
Instruction ID: 97108c9013a8c8f7c06decbddf28f172b97ecbc5452f9b9c4768af79dd7f90a9
Opcode Fuzzy Hash: abac32cd81aba8410bc1eaa9c8d805f4402f003bb99cf006e81213fc1664d456
Instruction Fuzzy Hash: 2FB15071900119ABDF55EBA8CC95EDEB7BEEF09310F1040AAF609E7141EB319E448FA5

Function 006BA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 006BA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006BA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 006BA468
CloseHandle.KERNEL32(?), ref: 006BA63D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 1236acb2c1b584da05dfd18185e1bca1818afb8cfc5c09e231cedc8e5a95fe8b
Instruction ID: 9183ffc3e831ca95438ba75a79ccd72ea26faf2e73272bc7939c0435db3b9434
Opcode Fuzzy Hash: 1236acb2c1b584da05dfd18185e1bca1818afb8cfc5c09e231cedc8e5a95fe8b
Instruction Fuzzy Hash: A9A1A4B16043009FD760DF14C886F6AB7E6AF84714F14885DF5999B392D770EC41CB95

Function 0066BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006D3700), ref: 0066BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0070121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0066BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00701270,000000FF,?,0000003F,00000000,?), ref: 0066BC36
_free.LIBCMT ref: 0066BB7F

Part of subcall function 006629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000), ref: 006629DE
Part of subcall function 006629C8: GetLastError.KERNEL32(00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000,00000000), ref: 006629F0

_free.LIBCMT ref: 0066BD4B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: f108d6c14e0d1f07d9712956d0a5cabe511bdfb753f65614abd3d2e7a57ae726
Instruction ID: 6bc65426f686d763570175d35823a0dc734407c8f9f1459ac9a2dd03030f4622
Opcode Fuzzy Hash: f108d6c14e0d1f07d9712956d0a5cabe511bdfb753f65614abd3d2e7a57ae726
Instruction Fuzzy Hash: 3651C571A00209EFCB10EF659C819BEB7BAFF40760B50526EE554E7391EB709E818B54

Function 0069E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0069DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0069CF22,?), ref: 0069DDFD

Part of subcall function 0069DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0069CF22,?), ref: 0069DE16

Part of subcall function 0069E199: GetFileAttributesW.KERNEL32(?,0069CF95), ref: 0069E19A

lstrcmpiW.KERNEL32(?,?), ref: 0069E473
MoveFileW.KERNEL32(?,?), ref: 0069E4AC
_wcslen.LIBCMT ref: 0069E5EB
_wcslen.LIBCMT ref: 0069E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0069E650

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 0c11385fe45a12284d7ca9dc4c4f00e3234613ed6d9f62245dfe8bb58694324b
Instruction ID: 9ce26c71496867b8d46fc7fb458bed90c6e30c8f0f5cf0f674434fe4e862aa01
Opcode Fuzzy Hash: 0c11385fe45a12284d7ca9dc4c4f00e3234613ed6d9f62245dfe8bb58694324b
Instruction Fuzzy Hash: CA5164B24083459BCB64DB90D8819DFB3EEAF85350F00491EF589D3191EF75A68CCB6A

Function 006BB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Part of subcall function 006BC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006BB6AE,?,?), ref: 006BC9B5
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BC9F1
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BCA68
Part of subcall function 006BC998: _wcslen.LIBCMT ref: 006BCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006BBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006BBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006BBB63
RegCloseKey.ADVAPI32(?,?), ref: 006BBBA6
RegCloseKey.ADVAPI32(00000000), ref: 006BBBB3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: c9ab25aba2d18f6a95ff8a2d255c78ec399a3eb7cc307db05a20e8bb6bc42ce4
Instruction ID: a5bb57caa4bfd6e035dfec3957e6f994a022e2b0ef5089e4bfd1033e6e65f162
Opcode Fuzzy Hash: c9ab25aba2d18f6a95ff8a2d255c78ec399a3eb7cc307db05a20e8bb6bc42ce4
Instruction Fuzzy Hash: 6A61A371208241AFD714DF14C890EAABBE6FF84318F14995CF4994B2A2DB71ED85CB92

Function 00698BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00698BCD
VariantClear.OLEAUT32 ref: 00698C3E
VariantClear.OLEAUT32 ref: 00698C9D
VariantClear.OLEAUT32(?), ref: 00698D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00698D3B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 7f94cf4dee8f6ecdcc5f0d734e2de95ef48e120867888bdce947c69015a6a6d9
Instruction ID: 5d223ce974b986d366252a2ad83e59f381d1fbba38d94d91fa1c10cd5a590fa5
Opcode Fuzzy Hash: 7f94cf4dee8f6ecdcc5f0d734e2de95ef48e120867888bdce947c69015a6a6d9
Instruction Fuzzy Hash: 825137B5A00619EFCB14CF68C894EAAB7FAFF89314B158559E909DB350E730E911CF90

Function 006A8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006A8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 006A8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006A8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006A8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006A8C5F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f55bf980d9b08068c0e1c65f3b61a3cd11a4af7ddff2c57aa566dc7da432e215
Instruction ID: 0245341e486b5ace1d32e10aff3e61bd4b919025233954a6ee17012b0f185b5f
Opcode Fuzzy Hash: f55bf980d9b08068c0e1c65f3b61a3cd11a4af7ddff2c57aa566dc7da432e215
Instruction Fuzzy Hash: E3515E75A002189FCB14DF65C880E69BBF6FF49324F088458E84AAB362CB35ED51CF94

Function 006B8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 006B8F40
GetProcAddress.KERNEL32(00000000,?), ref: 006B8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 006B8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 006B9032
FreeLibrary.KERNEL32(00000000), ref: 006B9052

Part of subcall function 0064F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,006A1043,?,7735E610), ref: 0064F6E6
Part of subcall function 0064F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0068FA64,00000000,00000000,?,?,006A1043,?,7735E610,?,0068FA64), ref: 0064F70D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: e640120a13c63dae7b4f6eeca3e963c193a2801ef79c4ed68f34a5715d635910
Instruction ID: 43f7e8b232f797251628c9c805de59b81290f9d28e7dceace772752dab938565
Opcode Fuzzy Hash: e640120a13c63dae7b4f6eeca3e963c193a2801ef79c4ed68f34a5715d635910
Instruction Fuzzy Hash: 78512975604205DFCB15EF58C4948EDBBB6FF49324F098098E90A9B362DB31ED86CB90

Function 006C6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 006C6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 006C6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 006C6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,006AAB79,00000000,00000000), ref: 006C6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 006C6CC7

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: d02cb28e4bc5f31c413c7be98638068d48adab1c0c55a23afbffa8d398a99839
Instruction ID: f0c31a7fd8187a4e997a09489c2e7aa8da1a3b3ed3e9e86a81bc64be6529e2a3
Opcode Fuzzy Hash: d02cb28e4bc5f31c413c7be98638068d48adab1c0c55a23afbffa8d398a99839
Instruction Fuzzy Hash: 2E41CD35A00144AFDB24CF28CD58FF97BA6EB09360F15026CF899A73A0C771AD51CA88

Function 00662051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006620C3
_free.LIBCMT ref: 006620E3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 57bd07a36d1ef9bf1e0a3f8f50bf4ca5592ff4d1785aebda4bc97be3caa530c4
Instruction ID: 07e1dd9b8ec4335f5ccf0e9c64b95bb418e28053132b1184cf1804919b89d43f
Opcode Fuzzy Hash: 57bd07a36d1ef9bf1e0a3f8f50bf4ca5592ff4d1785aebda4bc97be3caa530c4
Instruction Fuzzy Hash: 1C410632A00605AFCB24DF78C990A9DB7F6EF89314F1545ACEA15EB351DB31AD01CB80

Function 0064912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00649141
ScreenToClient.USER32(00000000,?), ref: 0064915E
GetAsyncKeyState.USER32(00000001), ref: 00649183
GetAsyncKeyState.USER32(00000002), ref: 0064919D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 94957f42f7f93638e3c108de1052841855a297a43460a726fdea73f78550847b
Instruction ID: a7e732b04071d1bf399310b68df9aa65906e17c3d3131984bdac8e4a8af6e212
Opcode Fuzzy Hash: 94957f42f7f93638e3c108de1052841855a297a43460a726fdea73f78550847b
Instruction Fuzzy Hash: CC41407190851BBBDF15AF64C848BFEB776FB05324F244319E469A72D0C730A950CB61

Function 006A3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 006A38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 006A3922
TranslateMessage.USER32(?), ref: 006A394B
DispatchMessageW.USER32(?), ref: 006A3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A3966

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: dda37dc97425e5d1cfb4309fdb14238ad10a98fdda94e77d12b678774f815c93
Instruction ID: fc7d0ac2919993d502bdb233d3333dedf8a9ea9e51ad367dcccf10dbdcdb1ffb
Opcode Fuzzy Hash: dda37dc97425e5d1cfb4309fdb14238ad10a98fdda94e77d12b678774f815c93
Instruction Fuzzy Hash: FF31A370904351DEEB25EB249848BF777AAAB06304F44856DF456823E0F7B8AE85CF11

Function 006ACF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,006AC21E,00000000), ref: 006ACF38
InternetReadFile.WININET(?,00000000,?,?), ref: 006ACF6F
GetLastError.KERNEL32(?,00000000,?,?,?,006AC21E,00000000), ref: 006ACFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,006AC21E,00000000), ref: 006ACFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,006AC21E,00000000), ref: 006ACFF2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 4dc133122b91df8f5edee2032c32a27ae3e57dc30c90167bb4edb87e9f166e32
Instruction ID: b68a0b769d520dc203b9f45645ec1de6fc5474f5eea19163d1989b6df4bb7c7f
Opcode Fuzzy Hash: 4dc133122b91df8f5edee2032c32a27ae3e57dc30c90167bb4edb87e9f166e32
Instruction Fuzzy Hash: F3314F71504205AFDB20EFA5C884DABBBFBEF15361B10442EF51AD2241DB30AE41DF60

Function 00691901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00691915
PostMessageW.USER32(00000001,00000201,00000001), ref: 006919C1
Sleep.KERNEL32(00000000,?,?,?), ref: 006919C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 006919DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 006919E2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 03a3f63d28b53c5c87aad4503bb1726ccc31956fe4e18b35f8e4906effe1c9da
Instruction ID: 5268f71eacb100a5c850cafc7e2cf07ebb854715904fc3dfff94cec826d40ce3
Opcode Fuzzy Hash: 03a3f63d28b53c5c87aad4503bb1726ccc31956fe4e18b35f8e4906effe1c9da
Instruction Fuzzy Hash: 7731D67190021AEFDF00CFA8CD59AEE3BBAEB45325F104225F925AB2D1C7709D44DB90

Function 006C5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 006C5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 006C579D
_wcslen.LIBCMT ref: 006C57AF
_wcslen.LIBCMT ref: 006C57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 006C5816

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5a32202264756b49be8ad025ee4f571a20d7d56fce4ee56bbfdcd256b5c61e96
Instruction ID: 32d118e0442e683f80fa2dd4d50ebea73d9fa91e1eb77787aad2540d6af4f0fd
Opcode Fuzzy Hash: 5a32202264756b49be8ad025ee4f571a20d7d56fce4ee56bbfdcd256b5c61e96
Instruction Fuzzy Hash: 712161719046189ADB209F60CC85FFE77BEFF04724F10825AE92AAA280D770A9C5CF50

Function 006B0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 006B0951
GetForegroundWindow.USER32 ref: 006B0968
GetDC.USER32(00000000), ref: 006B09A4
GetPixel.GDI32(00000000,?,00000003), ref: 006B09B0
ReleaseDC.USER32(00000000,00000003), ref: 006B09E8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 792b9d31dbda99b4289880b531286bad34581d4df334dd6496a621f455945022
Instruction ID: 767d6ca29105ec2348b2932846bdbcac171dab2fae447952e68e5163c82e5017
Opcode Fuzzy Hash: 792b9d31dbda99b4289880b531286bad34581d4df334dd6496a621f455945022
Instruction Fuzzy Hash: 29218175600204AFD744EF65C984EAEBBEAEF49750F04906CF84A97752CB30AC44CF90

Function 0066CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0066CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0066CDE9

Part of subcall function 00663820: RtlAllocateHeap.NTDLL(00000000,?,00701444,?,0064FDF5,?,?,0063A976,00000010,00701440,006313FC,?,006313C6,?,00631129), ref: 00663852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0066CE0F
_free.LIBCMT ref: 0066CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0066CE31

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 9cb36099e04a285998dd546cde874fe18ba5bb4fa82dd35526f483d22d5c62eb
Instruction ID: 8965ddd50685a5e5d0822dcc8c8c9444b6dc19ae2706a29c1f2dba52a137a14c
Opcode Fuzzy Hash: 9cb36099e04a285998dd546cde874fe18ba5bb4fa82dd35526f483d22d5c62eb
Instruction Fuzzy Hash: 0A018872A01A157FA32116BA6C58DBB797FDEC6FB1315012DF949C7201DA668D0281F4

Function 00649639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00649693
SelectObject.GDI32(?,00000000), ref: 006496A2
BeginPath.GDI32(?), ref: 006496B9
SelectObject.GDI32(?,00000000), ref: 006496E2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a42f21270608767684cb7116b453c3897a9e41bc4bcae027b6effcadb291d5a4
Instruction ID: f309db705f02ce14c8230dd9bd173f8316f3de062009189f2b3757dbb1b41911
Opcode Fuzzy Hash: a42f21270608767684cb7116b453c3897a9e41bc4bcae027b6effcadb291d5a4
Instruction Fuzzy Hash: 1D218330852345EFEF11DF25EC18BFA3B66BB51325F518315F414961B0D774A852CBA8

Function 00695711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00695726
_memcmp.LIBVCRUNTIME ref: 00695744
_memcmp.LIBVCRUNTIME ref: 00695757
_memcmp.LIBVCRUNTIME ref: 0069576F
_memcmp.LIBVCRUNTIME ref: 00695787

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: edfd8b835bd10de71e588b89ff46011a49de50cd88cf2e63621862b94b45f610
Instruction ID: f5fd96d59e64a1193ab284e1ef4892a9649198ec28cf37216841123dd13b21ce
Opcode Fuzzy Hash: edfd8b835bd10de71e588b89ff46011a49de50cd88cf2e63621862b94b45f610
Instruction Fuzzy Hash: 8801F561341609BBDA095650ADA2FFB735FDB21395F004028FD069EA41FB30EF1583A5

Function 00662DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0065F2DE,00663863,00701444,?,0064FDF5,?,?,0063A976,00000010,00701440,006313FC,?,006313C6), ref: 00662DFD
_free.LIBCMT ref: 00662E32
_free.LIBCMT ref: 00662E59
SetLastError.KERNEL32(00000000,00631129), ref: 00662E66
SetLastError.KERNEL32(00000000,00631129), ref: 00662E6F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d4644ba10928bba67e25998af4e18b3a877e4870f72d16f28984c1ab2ca58964
Instruction ID: eb692c8894d5016c743faf49a3cf3b6cf6a54ad5a379fedc9b95cfde720f44b7
Opcode Fuzzy Hash: d4644ba10928bba67e25998af4e18b3a877e4870f72d16f28984c1ab2ca58964
Instruction Fuzzy Hash: 6701F436645E0267C71267366CA5D7B265FABD17B5B25013CF529A23D2EF268C024160

Function 0069000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0068FF41,80070057,?,?,?,0069035E), ref: 0069002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0068FF41,80070057,?,?), ref: 00690046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0068FF41,80070057,?,?), ref: 00690054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0068FF41,80070057,?), ref: 00690064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0068FF41,80070057,?,?), ref: 00690070

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 7133a15f13d627b2ca2f7183829f6e88408e4ac326cee3977c952b63d6fb2316
Instruction ID: 011180f0d0fb4457048e96366bd9f65a4d6f8e2b0973733e79ff877ae0aff129
Opcode Fuzzy Hash: 7133a15f13d627b2ca2f7183829f6e88408e4ac326cee3977c952b63d6fb2316
Instruction Fuzzy Hash: BA018B72601204BFEF108F68DC08FAA7EEFEB447A2F145124F909D2210E771DD408BA0

Function 0069E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0069E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0069E9A5
Sleep.KERNEL32(00000000), ref: 0069E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0069E9B7
Sleep.KERNEL32 ref: 0069E9F3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 002f45b503353e02cc39ff10d67b90c4ba890d50764d4988ebe80355a193b7c1
Instruction ID: b9db18ec70318393340d28f57f91668e7b0b47d1a80735129038e4efa18c2d9c
Opcode Fuzzy Hash: 002f45b503353e02cc39ff10d67b90c4ba890d50764d4988ebe80355a193b7c1
Instruction Fuzzy Hash: 71015331C01629DBCF00EBE5DC59AEDBB7AFB09320F050946E902B2641CB399A519BA1

Function 006910F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00691114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00690B9B,?,?,?), ref: 00691120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00690B9B,?,?,?), ref: 0069112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00690B9B,?,?,?), ref: 00691136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0069114D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1df8eee91f6150fc40dc3ada4f968a6976db100b0159aac90cfa9ab69b6834be
Instruction ID: 16df76b6714102c32dc4c128aaec55c5c231e5ffc552878e929b0c7f9933547b
Opcode Fuzzy Hash: 1df8eee91f6150fc40dc3ada4f968a6976db100b0159aac90cfa9ab69b6834be
Instruction Fuzzy Hash: 90011975200205BFDB114FA5DC4DEAA3B6FEF8A3A0B244419FA49D7360DB31DC019A60

Function 00690FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00690FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00690FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00690FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00690FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00691002

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 595c5aa419bba969082a22a6f23329be9cf6d40de348af7cc99cb09d26107537
Instruction ID: da6660a2e51ed2ae817dfac063adfb327fe3cff74ee41337d34667525721c31a
Opcode Fuzzy Hash: 595c5aa419bba969082a22a6f23329be9cf6d40de348af7cc99cb09d26107537
Instruction Fuzzy Hash: 1FF04F35200701ABDB214FA5DC49FA63B6EFF8A761F244414F949CB651CA71DC40CA60

Function 00691014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0069102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00691036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00691045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0069104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00691062

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3b2a89806c100c38da38f1b8401fd5c9e277ecac6f3786d85656e5d19712f365
Instruction ID: 3df227716a0701eb82a87f29e41b034819e2da5cf4739c777b4baeb66fe4f23f
Opcode Fuzzy Hash: 3b2a89806c100c38da38f1b8401fd5c9e277ecac6f3786d85656e5d19712f365
Instruction Fuzzy Hash: 4CF06235200705EBDB215FA5EC49FA63B6FFF8A761F240414F949CB650CE72D8808A60

Function 006A030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,006A017D,?,006A32FC,?,00000001,00672592,?), ref: 006A0324
CloseHandle.KERNEL32(?,?,?,?,006A017D,?,006A32FC,?,00000001,00672592,?), ref: 006A0331
CloseHandle.KERNEL32(?,?,?,?,006A017D,?,006A32FC,?,00000001,00672592,?), ref: 006A033E
CloseHandle.KERNEL32(?,?,?,?,006A017D,?,006A32FC,?,00000001,00672592,?), ref: 006A034B
CloseHandle.KERNEL32(?,?,?,?,006A017D,?,006A32FC,?,00000001,00672592,?), ref: 006A0358
CloseHandle.KERNEL32(?,?,?,?,006A017D,?,006A32FC,?,00000001,00672592,?), ref: 006A0365

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 395a0aba2be4b00fab66cb645759c345d4d7930f229da0a0259d453c41530203
Instruction ID: 6b71d799e084f71c53d4040df81e5ddba163bab31bbacf67dae3e94de7bdbcba
Opcode Fuzzy Hash: 395a0aba2be4b00fab66cb645759c345d4d7930f229da0a0259d453c41530203
Instruction Fuzzy Hash: 5401AE76800B169FDB30AF66D880852FBFABF613153158A3FD19652A31C3B1AD58DF80

Function 0066D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0066D752

Part of subcall function 006629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000), ref: 006629DE
Part of subcall function 006629C8: GetLastError.KERNEL32(00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000,00000000), ref: 006629F0

_free.LIBCMT ref: 0066D764
_free.LIBCMT ref: 0066D776
_free.LIBCMT ref: 0066D788
_free.LIBCMT ref: 0066D79A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d6799d43ed881b5c625de54ca6118b8dfca791ff041e342baa33866f89647a16
Instruction ID: 676963c6985b0125f80c99e657f75e535af9dc10bfcdeae2561584517843d159
Opcode Fuzzy Hash: d6799d43ed881b5c625de54ca6118b8dfca791ff041e342baa33866f89647a16
Instruction Fuzzy Hash: 7CF06232B00609ABC765EB65FAC1C6A7FDFBB44760B941809F058D7601CB30FC80C665

Function 00695C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00695C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00695C6F
MessageBeep.USER32(00000000), ref: 00695C87
KillTimer.USER32(?,0000040A), ref: 00695CA3
EndDialog.USER32(?,00000001), ref: 00695CBD

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5e6913e739ce20787fe399a67d52dc3bcf136ea3e02b3a230d55383f95931d54
Instruction ID: f28ce349d550acf7b88288895049f2702f837323eae3ad2f924c910fc08ee78d
Opcode Fuzzy Hash: 5e6913e739ce20787fe399a67d52dc3bcf136ea3e02b3a230d55383f95931d54
Instruction Fuzzy Hash: 3C016D30500B04EBEF215B15DE4EFE677BEBB00B15F00155DE687A19E1DBF0A9848B91

Function 006622A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006622BE

Part of subcall function 006629C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000), ref: 006629DE
Part of subcall function 006629C8: GetLastError.KERNEL32(00000000,?,0066D7D1,00000000,00000000,00000000,00000000,?,0066D7F8,00000000,00000007,00000000,?,0066DBF5,00000000,00000000), ref: 006629F0

_free.LIBCMT ref: 006622D0
_free.LIBCMT ref: 006622E3
_free.LIBCMT ref: 006622F4
_free.LIBCMT ref: 00662305

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 003aa14a8124f2c067b204a84f9ba42a1f4e2869d99dd1b4adc6516cadb3911e
Instruction ID: 2461a2b9d2c8c26fe7ed23ecef43151897d33e6586dc2ccd14481b327b00e9bf
Opcode Fuzzy Hash: 003aa14a8124f2c067b204a84f9ba42a1f4e2869d99dd1b4adc6516cadb3911e
Instruction Fuzzy Hash: 6FF03A70A00926CBCB56AF95BC219583FA6B718BB5B40870EF410D22B1CF381911ABED

Function 006495C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006495D4
StrokeAndFillPath.GDI32(?,?,006871F7,00000000,?,?,?), ref: 006495F0
SelectObject.GDI32(?,00000000), ref: 00649603
DeleteObject.GDI32 ref: 00649616
StrokePath.GDI32(?), ref: 00649631

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 613fdbb23f9565cbddf31ec33b3789ca069d684f598f21efc0ff89de113d3664
Instruction ID: d45ab384597543d2bf9af7ae3cacba380175845728e5842a13a223508e86dedf
Opcode Fuzzy Hash: 613fdbb23f9565cbddf31ec33b3789ca069d684f598f21efc0ff89de113d3664
Instruction Fuzzy Hash: DBF06430016288EBDB26AF29EC1CBA53B62AB00332F448314F469551F0CB399991CF28

Function 00660F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 006610F9
__freea.LIBCMT ref: 00661117

Part of subcall function 00661537: _free.LIBCMT ref: 0066154F

Strings

a/p, xrefs: 006611DE
am/pm, xrefs: 0066117A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: f291f749c072b753d98af71f7e0ffbacea16ce32b4c6008b1c6d6386f429153d
Instruction ID: 529d948f5845349d32f2e84cbe8d5b6e82619f96e57bc86673a07bfda3ba4e9d
Opcode Fuzzy Hash: f291f749c072b753d98af71f7e0ffbacea16ce32b4c6008b1c6d6386f429153d
Instruction Fuzzy Hash: 4FD10031900206DADB289F68C855BFAB7B7EF07300F2C415AE906AF750D775AE81CB95

Function 006B61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00650242: EnterCriticalSection.KERNEL32(0070070C,00701884,?,?,0064198B,00702518,?,?,?,006312F9,00000000), ref: 0065024D
Part of subcall function 00650242: LeaveCriticalSection.KERNEL32(0070070C,?,0064198B,00702518,?,?,?,006312F9,00000000), ref: 0065028A

Part of subcall function 006500A3: __onexit.LIBCMT ref: 006500A9

__Init_thread_footer.LIBCMT ref: 006B6238

Part of subcall function 006501F8: EnterCriticalSection.KERNEL32(0070070C,?,?,00648747,00702514), ref: 00650202
Part of subcall function 006501F8: LeaveCriticalSection.KERNEL32(0070070C,?,00648747,00702514), ref: 00650235

Part of subcall function 006A359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 006A35E4
Part of subcall function 006A359C: LoadStringW.USER32(00702390,?,00000FFF,?), ref: 006A360A

Strings

x#p, xrefs: 006B636F
x#p, xrefs: 006B6353
x#p, xrefs: 006B633A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#p$x#p$x#p
API String ID: 1072379062-987765559
Opcode ID: 2e356141c459a1230b6fe8390b866cbf2219388813c70f2d039b07cd930c85ef
Instruction ID: 5a608d6b04617b18b8bdfdebb8138da4aa7530105d4d649d6c554b9d6fe7163e
Opcode Fuzzy Hash: 2e356141c459a1230b6fe8390b866cbf2219388813c70f2d039b07cd930c85ef
Instruction Fuzzy Hash: B1C15CB1A00105AFDB24DF98C895EFAB7BAEF48300F14806DF9459B291DB74ED85CB94

Function 00665AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOc, xrefs: 00665BA8, 00665C6C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: JOc
API String ID: 0-555135532
Opcode ID: 10b97ecfc2500e0e5e9c86dd3e24b5e580b67f7ff861189df0c02e8f11d52eba
Instruction ID: 94bee166cd6ab1fdd1a557386fbe61d30c8d325c55c080ca20977b5635d54725
Opcode Fuzzy Hash: 10b97ecfc2500e0e5e9c86dd3e24b5e580b67f7ff861189df0c02e8f11d52eba
Instruction Fuzzy Hash: 0651B071D0060AAFCB109FA9C846FEE7BBAEF05310F14005DF806A7291DA319A02CB65

Function 00668A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00668B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00668B7A
__dosmaperr.LIBCMT ref: 00668B81

Strings

.e, xrefs: 00668A63

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .e
API String ID: 2434981716-2491337497
Opcode ID: 01954d1a0e39db0a43fd504baf3d23722aad75f59b5dc455a999c73dbcb0eee0
Instruction ID: e9291a513d5059f12b8adf73c7293471453d2ad58cb6bf75effaf8dbef72c62f
Opcode Fuzzy Hash: 01954d1a0e39db0a43fd504baf3d23722aad75f59b5dc455a999c73dbcb0eee0
Instruction Fuzzy Hash: 44416AB0604185AFDB249F74DC84ABD7FA7DB85314F2883A9F88587652DE318D039794

Function 00692716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006921D0,?,?,00000034,00000800,?,00000034), ref: 0069B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00692760

Part of subcall function 0069B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,006921FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0069B3F8

Part of subcall function 0069B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0069B355
Part of subcall function 0069B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00692194,00000034,?,?,00001004,00000000,00000000), ref: 0069B365
Part of subcall function 0069B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00692194,00000034,?,?,00001004,00000000,00000000), ref: 0069B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 006927CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0069281A

Strings

@, xrefs: 00692832

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 5c3ede0f0f719cc69f5270a7b6cabaf69e27ee571cc12fd8cb03e44b9440496c
Instruction ID: cd4f42c601bfe19171e0b83f28e996f8289e46888ca08a2132122a5fa230f0f8
Opcode Fuzzy Hash: 5c3ede0f0f719cc69f5270a7b6cabaf69e27ee571cc12fd8cb03e44b9440496c
Instruction Fuzzy Hash: 00413B72900218BFDF10DBA4DD51EEEBBB9AF09700F005099FA55B7581DB706E45DBA0

Function 0066172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00661769
_free.LIBCMT ref: 00661834
_free.LIBCMT ref: 0066183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00661760, 00661767, 00661796, 006617CE

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-3587028468
Opcode ID: e67d5ad3804a47332471331b20158761ed90334b4a10b951caeff79c0c3526df
Instruction ID: ccdb4d93de35ae8353af5166f7b9052bbabaab3924449a81eb094a0ba64c9ef1
Opcode Fuzzy Hash: e67d5ad3804a47332471331b20158761ed90334b4a10b951caeff79c0c3526df
Instruction Fuzzy Hash: 2E316071A00218EFDB21DF999C85D9EBBFEEB86310F58416AF804DB211DA708E41CB94

Function 0069C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0069C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0069C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00701990,01405C28), ref: 0069C395

Strings

0, xrefs: 0069C2DF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 7f89a150e8cc8c28ebcad62a44d066e35336d7e00b9b4bab1b3ce7e9c790bedc
Instruction ID: 8fbd7e903bb11b628286280578d18d4e6056eae1a9d6facc4f98cfa36507df83
Opcode Fuzzy Hash: 7f89a150e8cc8c28ebcad62a44d066e35336d7e00b9b4bab1b3ce7e9c790bedc
Instruction Fuzzy Hash: 7F41A0712043019FDB20DF24D845F6ABBEAAF85320F04861DF8A597391D770A904CBA6

Function 006C4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006CCC08,00000000,?,?,?,?), ref: 006C44AA
GetWindowLongW.USER32 ref: 006C44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006C44D7

Strings

SysTreeView32, xrefs: 006C447C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e499065a83c708852c5ae3401cea87a0b5beccf4fc06a3da2b176cca36b15fe9
Instruction ID: ab7a40557162631e6675e9c9f3a79dd5dca2fbf9db517b73052c42a016d872f6
Opcode Fuzzy Hash: e499065a83c708852c5ae3401cea87a0b5beccf4fc06a3da2b176cca36b15fe9
Instruction Fuzzy Hash: 37318B31210605AFDB248E38DC55FEA7BAAEB08334F208719F979932E0DB70EC509B50

Function 00696E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00696EED
VariantCopyInd.OLEAUT32(?,?), ref: 00696F08
VariantClear.OLEAUT32(?), ref: 00696F12

Strings

*ji, xrefs: 00696E8B, 00696E90, 00696EF8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *ji
API String ID: 2173805711-1642545397
Opcode ID: 08dd1a142b8ea50c470cef6b061586c46110021e3167913fd653122729a9aee6
Instruction ID: 7ce41144560f156d73f437ad6d47e3551d6b0318c5e251a8d1e5b9fce41322ea
Opcode Fuzzy Hash: 08dd1a142b8ea50c470cef6b061586c46110021e3167913fd653122729a9aee6
Instruction Fuzzy Hash: 27316B72604345DBCF09AFA5E8919BE37BBEF85310B1044A9F9038B6B1CB349916DBD4

Function 006B304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006B335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,006B3077,?,?), ref: 006B3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006B307A
_wcslen.LIBCMT ref: 006B309B
htons.WSOCK32(00000000,?,?,00000000), ref: 006B3106

Strings

255.255.255.255, xrefs: 006B3095, 006B309A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 231eb1e8d8ebe3b54efb652d76089d3064683097eed8c36f2dc4dd936ea388c1
Instruction ID: f177f6ec0a43c86bff7022a6bdb23832527a2c0eb95e4a764b93a5a7f4e1373e
Opcode Fuzzy Hash: 231eb1e8d8ebe3b54efb652d76089d3064683097eed8c36f2dc4dd936ea388c1
Instruction Fuzzy Hash: 1031E4B57002119FC710DF2CC585EEA7BE6EF14318F248059E9158B392DB71DE85CB60

Function 006C4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006C4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006C4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006C471A

Strings

msctls_updown32, xrefs: 006C4684

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2c03e4c15671f77d823968899ca4baeed194c5aa0ee998c2c989ccd8964df40a
Instruction ID: 002ed6a31f3b674db10ff84ba1fd90d0b2f7805de886adee15568c07d1c781a4
Opcode Fuzzy Hash: 2c03e4c15671f77d823968899ca4baeed194c5aa0ee998c2c989ccd8964df40a
Instruction Fuzzy Hash: 43215CB5600209AFDB10DF64DCA5EB737AEEF4A3A4B05015DFA049B351CB30EC51CA64

Function 006995AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0069961D

Strings

#notrayicon, xrefs: 006995B7
#OnAutoItStartRegister, xrefs: 006995F3
#requireadmin, xrefs: 006995D9

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 2bb46cc63008e2a0523c7c0b254c43111877efd7c7b5e3d6206e822c3c9e6302
Instruction ID: 75ce77b8e1039bd1060ae94c5c4f18e6fdc79b188247f179294b5f0420c1866c
Opcode Fuzzy Hash: 2bb46cc63008e2a0523c7c0b254c43111877efd7c7b5e3d6206e822c3c9e6302
Instruction Fuzzy Hash: 5421F672104511A6EB31AB2C9C02FF773AF9F51310F15442EF949D7A42EB51AD46C2E9

Function 006C37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006C3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006C3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006C3876

Strings

Listbox, xrefs: 006C380F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 71eccb6d354e064f46e66f6e95c7fe14e838102c30e4f73b264e4aa623c776dc
Instruction ID: 413fe682f8d67d047e4adba58ad00b92e836c7591a0e6139959782795455d3cb
Opcode Fuzzy Hash: 71eccb6d354e064f46e66f6e95c7fe14e838102c30e4f73b264e4aa623c776dc
Instruction Fuzzy Hash: 49217F72610228BBEB219F54DC85FFB376BEF89760F118118F9059B290C6759C5287A0

Function 006A49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006A4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006A4A5C
SetErrorMode.KERNEL32(00000000,?,?,006CCC08), ref: 006A4AD0

Strings

%lu, xrefs: 006A4A6F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 13a39fbb0aa330728195b3ab5997e8a278952ba9bf33b5dd33739805b52c3ed1
Instruction ID: 603262db0def07d10f2dfe89a669560cd2290c12cedae22333157e57d0a55639
Opcode Fuzzy Hash: 13a39fbb0aa330728195b3ab5997e8a278952ba9bf33b5dd33739805b52c3ed1
Instruction Fuzzy Hash: 90317F71A00108AFDB50DF54C885EAA77F9EF45314F1480A9E509DB252DB71ED45CBA1

Function 006C41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006C424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006C4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006C4271

Strings

msctls_trackbar32, xrefs: 006C4226

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: f5d0755866b1f57b73b774ac7ef42d7ac5b383ddb5f91d7380659ab195811920
Instruction ID: 5d949da3def4acd5ba1d363c1942500ba200726b3dc0cbc47b3cdf5266979699
Opcode Fuzzy Hash: f5d0755866b1f57b73b774ac7ef42d7ac5b383ddb5f91d7380659ab195811920
Instruction Fuzzy Hash: BA110631240208BEEF209F29CC06FFB3BAEEF85B64F014119FA55E2190D675DC519B14

Function 00692F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00636B57: _wcslen.LIBCMT ref: 00636B6A

Part of subcall function 00692DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00692DC5
Part of subcall function 00692DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00692DD6
Part of subcall function 00692DA7: GetCurrentThreadId.KERNEL32 ref: 00692DDD
Part of subcall function 00692DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00692DE4

GetFocus.USER32 ref: 00692F78

Part of subcall function 00692DEE: GetParent.USER32(00000000), ref: 00692DF9

GetClassNameW.USER32(?,?,00000100), ref: 00692FC3
EnumChildWindows.USER32(?,0069303B), ref: 00692FEB

Strings

%s%d, xrefs: 00692FFF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 8f1923819c0918a3b96e1100e513603464185e2be1e2378d061857612c873bb1
Instruction ID: 8622f906cd9c42aaa394ba1fc9d43ecb265fc1b9223288a34214c7dbc637e956
Opcode Fuzzy Hash: 8f1923819c0918a3b96e1100e513603464185e2be1e2378d061857612c873bb1
Instruction Fuzzy Hash: 1D11B1716002156BCF947F70CC99EFE776FAF84314F048079FA0A9B292DE30994A8B64

Function 006C5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006C58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006C58EE
DrawMenuBar.USER32(?), ref: 006C58FD

Strings

0, xrefs: 006C588F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2f4abf217d86c228d87cd33af53e5cfbf6d690f1a9ef01d6f6bc82d8e79e6787
Instruction ID: d205a4233f8f65955ea5690cb02f9a50aadeee108d5e65185cceb226b324a01a
Opcode Fuzzy Hash: 2f4abf217d86c228d87cd33af53e5cfbf6d690f1a9ef01d6f6bc82d8e79e6787
Instruction Fuzzy Hash: 49011B31500258EEDB619F11DC44FBEBBBAFB45361F10809EE84AD6251DB309A95DF21

Function 0068D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0068D3BF
FreeLibrary.KERNEL32 ref: 0068D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0068D3B9
X64, xrefs: 0068D2A8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: cd6fdff59768f6e5af072020a09f13ff10172198db68c28622a26ca69a96d316
Instruction ID: c1414187081db0482fd8674e60d8a861c4063e6559fed263141c8588ee733c5c
Opcode Fuzzy Hash: cd6fdff59768f6e5af072020a09f13ff10172198db68c28622a26ca69a96d316
Instruction Fuzzy Hash: A5F0E521845621EBD7313B114C64EB9B727AF11B11B598369E90AE22C4DB20CE4587B2

Function 0069007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d63f4174466cf1edc9f70159ed4737bfa39cd5b05f8edd3edd0828e2cb9bd1
Instruction ID: cd9fde1baa2bce8e0967c1fb185da919a11ec3782f67e7c34c09397016b708a0
Opcode Fuzzy Hash: a9d63f4174466cf1edc9f70159ed4737bfa39cd5b05f8edd3edd0828e2cb9bd1
Instruction Fuzzy Hash: 9BC14C75A00216EFDF14CFA4C894AAEB7BAFF48714F208598E505EB251D731DE42DB90

Function 006B342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006B3459
CoUninitialize.OLE32 ref: 006B3463
VariantInit.OLEAUT32(?), ref: 006B346E
VariantClear.OLEAUT32(?), ref: 006B371B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 6aefef81e796648ccec24b90c2c634b129a48517bdf7427c27f1566133fb7677
Instruction ID: 4017dd282dd933ddbc6551bc052f3a22462257e1fbaec92154456811964c9b8e
Opcode Fuzzy Hash: 6aefef81e796648ccec24b90c2c634b129a48517bdf7427c27f1566133fb7677
Instruction Fuzzy Hash: F3A14AB57042109FCB54DF28C485A6AB7E6FF88724F04885DF98A9B362DB30ED41CB95

Function 00690436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006CFC08,?), ref: 006905F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006CFC08,?), ref: 00690608
CLSIDFromProgID.OLE32(?,?,00000000,006CCC40,000000FF,?,00000000,00000800,00000000,?,006CFC08,?), ref: 0069062D
_memcmp.LIBVCRUNTIME ref: 0069064E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 3a70f354a2db203991d74e047caf3f106f8e2458ea47832f76ce72b87c210c82
Instruction ID: a860283ca1c3086b875a5f294ebaf4266f1c796474b74a0eec9541360712789d
Opcode Fuzzy Hash: 3a70f354a2db203991d74e047caf3f106f8e2458ea47832f76ce72b87c210c82
Instruction Fuzzy Hash: 7281E875A00109EFDF04DF94C984EEEB7BAFF89315F204598E516AB250DB71AE06CB60

Function 006BA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006BA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 006BA6BA

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Process32NextW.KERNEL32(00000000,?), ref: 006BA79C
CloseHandle.KERNEL32(00000000), ref: 006BA7AB

Part of subcall function 0064CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00673303,?), ref: 0064CE8A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: d5cc28a30c401a1e070751734d9b2dc12b27db14941e4ac071a468cc5b009d9d
Instruction ID: b60cafd03068b1d8e11cba204cc90f04be6ae211e34313f30fe7f2d03792e185
Opcode Fuzzy Hash: d5cc28a30c401a1e070751734d9b2dc12b27db14941e4ac071a468cc5b009d9d
Instruction Fuzzy Hash: 49516DB1508300AFD750EF24C886E6BBBEAFF89754F00892DF58997251EB70D904CB96

Function 00671391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006714C0

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ecb3658cac215d2f3f2a8d1f48c306012806068ec7127a4b9f4f221ad6a43134
Instruction ID: deeae6b408d2472f19b5de1cf8050935fe806fe916c4b3ac6f0bbb4d0b3493ba
Opcode Fuzzy Hash: ecb3658cac215d2f3f2a8d1f48c306012806068ec7127a4b9f4f221ad6a43134
Instruction Fuzzy Hash: 41412A71600500ABDB256FFD8C46AEE3AE7EF43770F14822BF81DDB291E63489425365

Function 006C6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006C62E2
ScreenToClient.USER32(?,?), ref: 006C6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 006C6382

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e6ab40a8ef4e06a58ce8d109e247548a6141cf7cf4c16211847d6e1f330dec69
Instruction ID: a8728020b25217b3cb6f2c216220960811be83a1016edc000aa4631b05c172ec
Opcode Fuzzy Hash: e6ab40a8ef4e06a58ce8d109e247548a6141cf7cf4c16211847d6e1f330dec69
Instruction Fuzzy Hash: 0151F874A00249EFDB10DF68D984EBE7BB6EF45360F10826DF8199B290D730AD81CB94

Function 006B1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006B1AFD
WSAGetLastError.WSOCK32 ref: 006B1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006B1B8A
WSAGetLastError.WSOCK32 ref: 006B1B94

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: b041671b784b913213b5ab2023a68cb11095b0e015a36b8bcba05c1c5a9391e3
Instruction ID: 775a040b4994352504888a671f24f66b43bd08a6c3b2b3efb1668e428b0e1110
Opcode Fuzzy Hash: b041671b784b913213b5ab2023a68cb11095b0e015a36b8bcba05c1c5a9391e3
Instruction Fuzzy Hash: B141B074600200AFE720AF24C896F6A77E6AB45718F54844CFA1A9F3D2D772DD828B90

Function 0066B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b47ad5c2f38901e6a97da55c3b8d08bda0c9da4d877e48640105024dcfc8defb
Instruction ID: def762823d73d37a905c132461699314aa9e308ea7952de3d7f4996aea99a992
Opcode Fuzzy Hash: b47ad5c2f38901e6a97da55c3b8d08bda0c9da4d877e48640105024dcfc8defb
Instruction Fuzzy Hash: 2141F571A00714EFD724AF78CC41BAABBEBEB88710F10852EF556DB292DB7199418784

Function 006A56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006A5783
GetLastError.KERNEL32(?,00000000), ref: 006A57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006A57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006A57FA

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 046457b5ca5e8a0f8dc9723423b4cb98706d1b4ee6c6bf3d4b8f799d94097d9a
Instruction ID: 887cc178c1e3df8d3ec59f44db304f439b321eebea5da2e25e00ff4a30b378e2
Opcode Fuzzy Hash: 046457b5ca5e8a0f8dc9723423b4cb98706d1b4ee6c6bf3d4b8f799d94097d9a
Instruction Fuzzy Hash: 62410C39600614DFCB25EF15C544A59BBE2EF89320F198488E85A6B362CB35FD41CF95

Function 0066D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00656D71,00000000,00000000,006582D9,?,006582D9,?,00000001,00656D71,?,00000001,006582D9,006582D9), ref: 0066D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0066D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0066D9AB
__freea.LIBCMT ref: 0066D9B4

Part of subcall function 00663820: RtlAllocateHeap.NTDLL(00000000,?,00701444,?,0064FDF5,?,?,0063A976,00000010,00701440,006313FC,?,006313C6,?,00631129), ref: 00663852

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 456b6d4a2336c485f43ceb4c6c58ff3430d9ae47ed2576ab6d5a437ca830a3b6
Instruction ID: 3a30a4cdb98656c32599b13dd63959ed696faea0d18bb6b587abf6cd2bc0b2b6
Opcode Fuzzy Hash: 456b6d4a2336c485f43ceb4c6c58ff3430d9ae47ed2576ab6d5a437ca830a3b6
Instruction Fuzzy Hash: 2E31AB72A0020AABDB249F65DC45EEF7BA6EB41310F054268FC08D7290EB35DD55CBA0

Function 006C52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 006C5352
GetWindowLongW.USER32(?,000000F0), ref: 006C5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006C5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006C53A8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: de3c6bfebebdf527b90f817059bbb4ae732e3ddbc09c13df0bcf370b48ad25ef
Instruction ID: e9bbc305844b728bbdfcfe5d09df42cf764812a6d433f30faea410652ac65ace
Opcode Fuzzy Hash: de3c6bfebebdf527b90f817059bbb4ae732e3ddbc09c13df0bcf370b48ad25ef
Instruction Fuzzy Hash: 3531B634A55A88EFEB309B54CC05FF97767EB04390F54410AFA1A963E1E7B4B9C09B81

Function 0069AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 0069ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0069AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0069AC74
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 0069ACC6

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d6685642146fb773396657950fbf8a2e39437bb09b5b4510671614374e94507e
Instruction ID: 782b3a8d137687efd78bdc0d83e5523ddb0a373f33320e4469a59c3479b4737c
Opcode Fuzzy Hash: d6685642146fb773396657950fbf8a2e39437bb09b5b4510671614374e94507e
Instruction Fuzzy Hash: A6310830A00618EFEF35CBA58C04BFA7BEFAB85321F04461EE4855AAD1C375898587D6

Function 006C7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006C769A
GetWindowRect.USER32(?,?), ref: 006C7710
PtInRect.USER32(?,?,006C8B89), ref: 006C7720
MessageBeep.USER32(00000000), ref: 006C778C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 9c6388e907cf122fe8169d58731304e13531cebeb1a58de343d45fbd456e16ac
Instruction ID: 864a8279b9c7fa8794c00482ff02fcee70270a8228d2531e181f666b4c421933
Opcode Fuzzy Hash: 9c6388e907cf122fe8169d58731304e13531cebeb1a58de343d45fbd456e16ac
Instruction Fuzzy Hash: 01415534A09258DFCB01CF68D894FB9B7B6FB49314F5981ADE8149B361C734A942CFA0

Function 006C16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006C16EB

Part of subcall function 00693A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00693A57
Part of subcall function 00693A3D: GetCurrentThreadId.KERNEL32 ref: 00693A5E
Part of subcall function 00693A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,006925B3), ref: 00693A65

GetCaretPos.USER32(?), ref: 006C16FF
ClientToScreen.USER32(00000000,?), ref: 006C174C
GetForegroundWindow.USER32 ref: 006C1752

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7f8518791f8bc6591d183a19ab018fedbbe7891f1a9c320853382ca56f57922e
Instruction ID: 4fc3cc31ef0d1f47ca66a3e04b700f793994727b9533449865e8503489101b53
Opcode Fuzzy Hash: 7f8518791f8bc6591d183a19ab018fedbbe7891f1a9c320853382ca56f57922e
Instruction Fuzzy Hash: 53313D75D00149AFCB44EFA9C881DAEBBFAEF89314B5080ADE415E7212D7319E45CFA0

Function 006C8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00649BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00649BB2

GetCursorPos.USER32(?), ref: 006C9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00687711,?,?,?,?,?), ref: 006C9016
GetCursorPos.USER32(?), ref: 006C905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00687711,?,?,?), ref: 006C9094

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: c5654d1e9915a90e8e84ce680eff033cd8fe5d2bcb781c9e5fbf63ac623d4235
Instruction ID: cbb38f339da12a5e0654f20eebf1125b9de5848bdabaf6def3440c7910ce67d6
Opcode Fuzzy Hash: c5654d1e9915a90e8e84ce680eff033cd8fe5d2bcb781c9e5fbf63ac623d4235
Instruction Fuzzy Hash: 0D217F35700018EFDB298F94CC58FFA7BBAEB49360F54416EF905472A1C735A990DB64

Function 0069D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,006CCB68), ref: 0069D2FB
GetLastError.KERNEL32 ref: 0069D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0069D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,006CCB68), ref: 0069D376

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: a2bc62ac0fbbac20424b3d7dce7c890866814d1551247635ecee17fe765c5f34
Instruction ID: 639717a9147df753f53040040a1986aba3f59cb99fc3812e6c85d3d7c515ace7
Opcode Fuzzy Hash: a2bc62ac0fbbac20424b3d7dce7c890866814d1551247635ecee17fe765c5f34
Instruction Fuzzy Hash: 8721A170508201DFCB00DF28C8818AAB7EAEF56365F104A2DF499C37A1DB30DA46CB97

Function 00691571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00691014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0069102A
Part of subcall function 00691014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00691036
Part of subcall function 00691014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00691045
Part of subcall function 00691014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0069104C
Part of subcall function 00691014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00691062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006915BE
_memcmp.LIBVCRUNTIME ref: 006915E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00691617
HeapFree.KERNEL32(00000000), ref: 0069161E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 079084010ef9d6018b3f9f8019d2d38ba4ecad95a54bd25441d648ee2f1d2254
Instruction ID: 6e09173ed7493aa0a597240d6bba55ac7f2a7623fe4a9e88b50e987f7f669a40
Opcode Fuzzy Hash: 079084010ef9d6018b3f9f8019d2d38ba4ecad95a54bd25441d648ee2f1d2254
Instruction Fuzzy Hash: C421DE72E0010AEFDF00DFA4C944BEEB7BAEF42354F294459E405AB240E730AE05CBA0

Function 006C2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 006C280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006C2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 006C2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006C2840

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: ba7aebb61160205b52f311ce6a264bc047bd5d25b1d651c2ddf7463c988044d1
Instruction ID: bb31afaca98f3e41a89463103e69a8f9d47fedbc962428dcc1f76481526ef4e7
Opcode Fuzzy Hash: ba7aebb61160205b52f311ce6a264bc047bd5d25b1d651c2ddf7463c988044d1
Instruction Fuzzy Hash: B9219235205512AFD7149B24C865FBA7796EF45324F14815CF8168B692C771EC42C7D0

Function 006978F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00698D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0069790A,?,000000FF,?,00698754,00000000,?,0000001C,?,?), ref: 00698D8C
Part of subcall function 00698D7D: lstrcpyW.KERNEL32(00000000,?,?,0069790A,?,000000FF,?,00698754,00000000,?,0000001C,?,?,00000000), ref: 00698DB2
Part of subcall function 00698D7D: lstrcmpiW.KERNEL32(00000000,?,0069790A,?,000000FF,?,00698754,00000000,?,0000001C,?,?), ref: 00698DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00698754,00000000,?,0000001C,?,?,00000000), ref: 00697923
lstrcpyW.KERNEL32(00000000,?,?,00698754,00000000,?,0000001C,?,?,00000000), ref: 00697949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00698754,00000000,?,0000001C,?,?,00000000), ref: 00697984

Strings

cdecl, xrefs: 0069797B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 93db7571e8d93bddb9b5461a350babdd4644f24010d04f957787af0d22e31c06
Instruction ID: 8f03e6aca095d5c01b0a4d8a84c1451435b0ccff24bcf6c6eb2c1294f97546e9
Opcode Fuzzy Hash: 93db7571e8d93bddb9b5461a350babdd4644f24010d04f957787af0d22e31c06
Instruction Fuzzy Hash: 6511033A200202AFCF159F35D844EBA77AAFF85360B10402AF906CB7A4EF319801C7A5

Function 006C7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 006C7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 006C7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006C7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006AB7AD,00000000), ref: 006C7D6B

Part of subcall function 00649BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00649BB2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: ad35474a96b5062fbdb35f1a691073ce523b39345ad5fd8c659dd966aeb4f09c
Instruction ID: 54b312662a7612d43378284b3ba3380465d460bdbc265477f8246858dee7fefe
Opcode Fuzzy Hash: ad35474a96b5062fbdb35f1a691073ce523b39345ad5fd8c659dd966aeb4f09c
Instruction Fuzzy Hash: 3C118C32614655AFCB109F28DC04EB63BA6EF45370F558728F83AC72E0D730A961DB90

Function 006C5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 006C56BB
_wcslen.LIBCMT ref: 006C56CD
_wcslen.LIBCMT ref: 006C56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 006C5816

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 75b7ba6a5ad583b777ddf386e56235541cc009378a29ba951135e8312be5878c
Instruction ID: 6c2707ec46868fd0bddbe86fe4dfde6a9c7ecd13d084c71e539a21aa422da970
Opcode Fuzzy Hash: 75b7ba6a5ad583b777ddf386e56235541cc009378a29ba951135e8312be5878c
Instruction Fuzzy Hash: A911DF7160060896DF209B628C85FFE37ADEB10364F10816EF91696181EB70EAC4CB64

Function 00661D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455ea6e9bba81e9304cf1a3459ef8674259b194b66f3fb6d0e56a5bcbcd2fe75
Instruction ID: 335b9af4450a8dce8342cd936936ced41bec083be091e2ba4cd62aa24d8623a1
Opcode Fuzzy Hash: 455ea6e9bba81e9304cf1a3459ef8674259b194b66f3fb6d0e56a5bcbcd2fe75
Instruction Fuzzy Hash: 270121B2709A063EF76026796CC0FA7661FDF827B8F38032AF520A92D2DF609C005174

Function 00691A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00691A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00691A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00691A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00691A8A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 17f2492dc20011e2646104aa48a51df9b056783ed28f43a4d678aaf7b3ae3d4b
Instruction ID: df7bbced1836e92c159f173554a0d94e1a1284533df4278c5c87ab9fb666add4
Opcode Fuzzy Hash: 17f2492dc20011e2646104aa48a51df9b056783ed28f43a4d678aaf7b3ae3d4b
Instruction Fuzzy Hash: 0B11393AD01219FFEF10DBA5CD85FADBB79EB08750F200092EA04BB290D6716E50DB94

Function 0069E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0069E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0069E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0069E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0069E24D

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: e1927cc3fcb55f997a43d8d0c19f40d361d1e03eafd804ecad46b26f9fa104d5
Instruction ID: 44639a6c9b6a52a9a07c320557524417e7e9b21d6829089766f9506911fa167c
Opcode Fuzzy Hash: e1927cc3fcb55f997a43d8d0c19f40d361d1e03eafd804ecad46b26f9fa104d5
Instruction Fuzzy Hash: 5211C876D04254BBCB01DBA89C05EAE7FAEEB45720F148355F918D3791D6758A0487A0

Function 0065D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0065CFF9,00000000,00000004,00000000), ref: 0065D218
GetLastError.KERNEL32 ref: 0065D224
__dosmaperr.LIBCMT ref: 0065D22B
ResumeThread.KERNEL32(00000000), ref: 0065D249

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e7d62381b183e79c31c7b05629f16cfcec19401fb2114983efecc466409b633f
Instruction ID: 10e1059b6345b2b979022c5d84af6e15c0bcd7bf3e3021057908310acbd37466
Opcode Fuzzy Hash: e7d62381b183e79c31c7b05629f16cfcec19401fb2114983efecc466409b633f
Instruction Fuzzy Hash: 0401D6764056047BCB315BA5DC05BAE7A6BDF81332F100219FD29921D0DB708A09C7A0

Function 0063600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0063604C
GetStockObject.GDI32(00000011), ref: 00636060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0063606A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 22d868d87838e815f40d9a4fd2e072e497fd46863d0c13929cf8e3d569dcd5a6
Instruction ID: b82571a5633ad5b6fb7374eff7245520138f15a4a67ecc7b73126bacef2b43ac
Opcode Fuzzy Hash: 22d868d87838e815f40d9a4fd2e072e497fd46863d0c13929cf8e3d569dcd5a6
Instruction Fuzzy Hash: 18116D72501548BFEF164FA4DD55EEABB6AEF093A4F048215FA1892120D732DC60DBE0

Function 00653B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00653B56

Part of subcall function 00653AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00653AD2
Part of subcall function 00653AA3: ___AdjustPointer.LIBCMT ref: 00653AED

_UnwindNestedFrames.LIBCMT ref: 00653B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00653B7C
CallCatchBlock.LIBVCRUNTIME ref: 00653BA4

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: cbeab1b091b87c29cce5d3d9218997a023c348b2c5be3bf553507942ec1bf989
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 15014C32100158BBDF125E95CC42EEB3F6EEF58B99F044058FE4896221C732E965DBA4

Function 00663073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,006313C6,00000000,00000000,?,0066301A,006313C6,00000000,00000000,00000000,?,0066328B,00000006,FlsSetValue), ref: 006630A5
GetLastError.KERNEL32(?,0066301A,006313C6,00000000,00000000,00000000,?,0066328B,00000006,FlsSetValue,006D2290,FlsSetValue,00000000,00000364,?,00662E46), ref: 006630B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0066301A,006313C6,00000000,00000000,00000000,?,0066328B,00000006,FlsSetValue,006D2290,FlsSetValue,00000000), ref: 006630BF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c6a68721d3ec55945a7a540867025a4a9855a1a7a589472799025ddb1c0dbd05
Instruction ID: 0331e0787199c7ded4003926d6badbf728022dd5629928a27caf5e97aa427399
Opcode Fuzzy Hash: c6a68721d3ec55945a7a540867025a4a9855a1a7a589472799025ddb1c0dbd05
Instruction Fuzzy Hash: 3501FC32701332ABC7314B79DC44DA7779AEF05771B100620F919D7340C725D905C6E0

Function 00697464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0069747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00697497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006974AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 006974CA

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: da6cb6ce8b342b0bcedf57f7a101a7796a34c4a1fa854895810384e29909a2fb
Instruction ID: f60bd8de987819791b7e2f7cbb16917c5270a06dba5adf4285bc4bb142516525
Opcode Fuzzy Hash: da6cb6ce8b342b0bcedf57f7a101a7796a34c4a1fa854895810384e29909a2fb
Instruction Fuzzy Hash: D911ADB1215314ABEB20CF14DC08FA67BFEEF00B10F108569E61AD7992D7B0E904DBA0

Function 0069B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0069ACD3,?,00008000), ref: 0069B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0069ACD3,?,00008000), ref: 0069B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0069ACD3,?,00008000), ref: 0069B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0069ACD3,?,00008000), ref: 0069B126

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: c5409030c8754579a50f5e76375eb269dcbf263bdd25dc1e6372f842508684c4
Instruction ID: 7b22d7cf5fb1bab59b3c5003a08adfbabe1da4c3c2dfab76025a0ff40d920887
Opcode Fuzzy Hash: c5409030c8754579a50f5e76375eb269dcbf263bdd25dc1e6372f842508684c4
Instruction Fuzzy Hash: 0F115E31C0152DD7CF009FE5EA68AFEBB79FF4A711F115095D941B2641CB3055518B51

Function 006C7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006C7E33
ScreenToClient.USER32(?,?), ref: 006C7E4B
ScreenToClient.USER32(?,?), ref: 006C7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006C7E8A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 2d8f70bc439d67935c024b768bccf77f0f9d0891db6aa24b1621aa2a989e2dc9
Instruction ID: 23e8e250ace2701840d190f673c2a3383ce73c1ad4f15d1d8ad7386d5e59c685
Opcode Fuzzy Hash: 2d8f70bc439d67935c024b768bccf77f0f9d0891db6aa24b1621aa2a989e2dc9
Instruction Fuzzy Hash: 331156B9D0020AAFDB41CF99C984AEEBBF5FF18310F505056E915E3210D735AA55CF50

Function 00692DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00692DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00692DD6
GetCurrentThreadId.KERNEL32 ref: 00692DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00692DE4

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 099fa4f587d3809bab2c52c242741fb46366b7f2df92047e74628eaac5df574d
Instruction ID: f02b5ba77934707321c624f64f038a14f2290d9c62d5b9117c445f7e31128754
Opcode Fuzzy Hash: 099fa4f587d3809bab2c52c242741fb46366b7f2df92047e74628eaac5df574d
Instruction Fuzzy Hash: 44E092715012247BDB201B739C0DFFB7E6EEF42BB1F001016F10AD14809AA0C845D6B0

Function 006C8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00649639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00649693
Part of subcall function 00649639: SelectObject.GDI32(?,00000000), ref: 006496A2
Part of subcall function 00649639: BeginPath.GDI32(?), ref: 006496B9
Part of subcall function 00649639: SelectObject.GDI32(?,00000000), ref: 006496E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 006C8887
LineTo.GDI32(?,?,?), ref: 006C8894
EndPath.GDI32(?), ref: 006C88A4
StrokePath.GDI32(?), ref: 006C88B2

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 5bf43e082fef34073d92e760a7444ee73de151e248b989de6d81b011de7167da
Instruction ID: 05c704fb4b5b00cf2795bf43ca3ca6009298cbd1800d64c30da032099b9ef0c3
Opcode Fuzzy Hash: 5bf43e082fef34073d92e760a7444ee73de151e248b989de6d81b011de7167da
Instruction Fuzzy Hash: 7FF0E236142258FBEB226F94AC0DFEE3F1AAF06320F448104FA01614E1CB791510CFE9

Function 006498B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 006498CC
SetTextColor.GDI32(?,?), ref: 006498D6
SetBkMode.GDI32(?,00000001), ref: 006498E9
GetStockObject.GDI32(00000005), ref: 006498F1

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 32c31bd0ff0218bb944a626d3d0aa7146f2a1d3e3f8bdb531cee5cdc2fd64487
Instruction ID: 9f4d5d1cec12fd21395fc47a49b9b08e1d9189fdbb0e1cb07e701608c1798c34
Opcode Fuzzy Hash: 32c31bd0ff0218bb944a626d3d0aa7146f2a1d3e3f8bdb531cee5cdc2fd64487
Instruction Fuzzy Hash: 74E06D31644280AEDB215B79BC09FE93F62AB12336F188319F6FE981E1C77186509B21

Function 0069162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00691634
OpenThreadToken.ADVAPI32(00000000,?,?,?,006911D9), ref: 0069163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006911D9), ref: 00691648
OpenProcessToken.ADVAPI32(00000000,?,?,?,006911D9), ref: 0069164F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 2e8aaac753eb0215046c1e0f4d5aee37ead6dfc0f4fb8bb64ad997bd560f24f2
Instruction ID: bd75643a4c15d5ed1c2335197df5b4d98a3657aa0613bf31e88f03d3dc9b8539
Opcode Fuzzy Hash: 2e8aaac753eb0215046c1e0f4d5aee37ead6dfc0f4fb8bb64ad997bd560f24f2
Instruction Fuzzy Hash: 7CE08671A01211DBDB201FA0AD0DFA63B7EBF457A1F184808F249CE080D6388441C750

Function 0068D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0068D858
GetDC.USER32(00000000), ref: 0068D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0068D882
ReleaseDC.USER32(?), ref: 0068D8A3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 4b1706524ba489d650c426806cd7005f23330787204b2a50c636b76303e855b7
Instruction ID: 9c05ea049313c0094858111e0f0e9f1ec45230009216d19dfa5fc2d4ad241ea3
Opcode Fuzzy Hash: 4b1706524ba489d650c426806cd7005f23330787204b2a50c636b76303e855b7
Instruction Fuzzy Hash: 6FE09AB5900205EFCB41AFA1D90CA7DBBB7FB48321F149459F84AE7250C7399942AF50

Function 0068D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0068D86C
GetDC.USER32(00000000), ref: 0068D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0068D882
ReleaseDC.USER32(?), ref: 0068D8A3

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dbbfca5c97af3cdd59e0fcd02f9b48c1cd2da5682c88efd96902169ea9ccae61
Instruction ID: 83b6d7a6835927dffafc81d7f80e94a327d252fe2a75ad470fc927a9de88fecc
Opcode Fuzzy Hash: dbbfca5c97af3cdd59e0fcd02f9b48c1cd2da5682c88efd96902169ea9ccae61
Instruction Fuzzy Hash: 14E092B5D00204EFCB51AFA1D90CA6DBBB6BB48321F14A449F94AE7250CB399902AF50

Function 006A4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00637620: _wcslen.LIBCMT ref: 00637625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 006A4ED4

Strings

*, xrefs: 006A4E10
LPT, xrefs: 006A4DFB

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 2e5a2911a4c78f1cda68dfd77a1594fdd7c0894ccdedbf6594dc9a8e5d374b7e
Instruction ID: 5c6f96432855e89d14a26d228edf7db0fb5c64c53b77264598931d1767d3567a
Opcode Fuzzy Hash: 2e5a2911a4c78f1cda68dfd77a1594fdd7c0894ccdedbf6594dc9a8e5d374b7e
Instruction Fuzzy Hash: 32914F75A002049FCB14EF58C884EAABBF2BF85314F158099E40A9F362DB75ED85CF91

Function 0065E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0065E30D

Strings

pow, xrefs: 0065E2E5, 0065E302

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: fff1aad8c464d3b006251b640fc8c43194bd5466eb3f66e16dda351cdb52583c
Instruction ID: b35a39cd258d29b617d16272a0d6da56b3081f2bc7fed35a58bf9e13e0673092
Opcode Fuzzy Hash: fff1aad8c464d3b006251b640fc8c43194bd5466eb3f66e16dda351cdb52583c
Instruction Fuzzy Hash: 3D519D61E0C20296CF197714C9013F93B979F10746F304D9DE8D5423A9EB368EC99A4A

Function 006B7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0068569E,00000000,?,006CCC08,?,00000000,00000000), ref: 006B78DD

Part of subcall function 00636B57: _wcslen.LIBCMT ref: 00636B6A

CharUpperBuffW.USER32(0068569E,00000000,?,006CCC08,00000000,?,00000000,00000000), ref: 006B783B

Strings

<so, xrefs: 006B77C8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <so
API String ID: 3544283678-187667226
Opcode ID: c0d77bb717d815e7a56915c903f45c71caa5ce02e2b908e656069f7267da70af
Instruction ID: 38e0f3a4d0208e84a91429e510dffbde00b3ffffe96a21cd4b5be3508769d9cb
Opcode Fuzzy Hash: c0d77bb717d815e7a56915c903f45c71caa5ce02e2b908e656069f7267da70af
Instruction Fuzzy Hash: 766116B6914128AACF44EBA4CC91DFDB37ABF54300F444129F642A7191EF20AA49DBE4

Function 0064E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0064E1B1

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 70b8d4885501e7e7c41a255daa8ea6ad25c266999d0604ddacc3a7902d207b79
Instruction ID: 88bb804f98701f32d96f01f9e0246db32c64251af746e5a42a1fa9396e213473
Opcode Fuzzy Hash: 70b8d4885501e7e7c41a255daa8ea6ad25c266999d0604ddacc3a7902d207b79
Instruction Fuzzy Hash: B2513375604246DFDB14EF28C481AFA7BA7FF15310F248259E8919B3C0D6769E42CBA0

Function 0064F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0064F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0064F2BB

Strings

@, xrefs: 0064F2AF

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 0c6321800fb638ee6faf9251d83d7baf9fec235ed9dc264b9f2a0593f8dc6cfc
Instruction ID: 88509c69fd328d3a504354e4ae5ae67ea8178fc2f1fa2d327dbdbd6232cb6b8c
Opcode Fuzzy Hash: 0c6321800fb638ee6faf9251d83d7baf9fec235ed9dc264b9f2a0593f8dc6cfc
Instruction Fuzzy Hash: A15157B14087489BD360AF10DC86BAFBBF9FF85310F81885CF1D941195EB309529CBAA

Function 006B5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006B57E0
_wcslen.LIBCMT ref: 006B57EC

Strings

CALLARGARRAY, xrefs: 006B57E6, 006B57EB

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: d447ddbe5a43679e4a7f157e2b42eb5cbef7c58038daf6cbaf37b5646e9ba6ce
Instruction ID: 2780b5e79e6b912d7217c7f3a363694b547890056a617f4f6b83293520f70068
Opcode Fuzzy Hash: d447ddbe5a43679e4a7f157e2b42eb5cbef7c58038daf6cbaf37b5646e9ba6ce
Instruction Fuzzy Hash: 74418FB1A002199FCB14DFA9C881AFEBBB6EF59324F14406DE506A7351E7709D81CB94

Function 006AD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006AD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006AD13A

Strings

|, xrefs: 006AD10B

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: ffe4c080531cd9fc900c74e7d32ab7488b622a818ffc1f0bfb63ca0dd4756c36
Instruction ID: 0fa8e59a247ddf420f045766532438bc97eab62a0e7425707f0d9a4b732e1fc5
Opcode Fuzzy Hash: ffe4c080531cd9fc900c74e7d32ab7488b622a818ffc1f0bfb63ca0dd4756c36
Instruction Fuzzy Hash: 19313E71D00109ABCF55EFA4CC85AEEBFBAFF05304F004019F815A6265DB35AA46DFA4

Function 006C356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006C3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006C365C

Strings

static, xrefs: 006C35BC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7db07e39c11b8ceb1e8d9b376148b9fb0c086fac5b06296b3aca3449d7dec1e3
Instruction ID: ecb56ef633040cd025ab9039f1c8f4ebc3fe6787c859da8d4edeb28eca46b30a
Opcode Fuzzy Hash: 7db07e39c11b8ceb1e8d9b376148b9fb0c086fac5b06296b3aca3449d7dec1e3
Instruction Fuzzy Hash: 3B317C71110204AEDB109F68D881FFB73AAEF88720F00961DF9A597280DA31AD818B64

Function 006C4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 006C461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006C4634

Strings

', xrefs: 006C458E

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4f1bacdf424a9fbb1bf897476e5aaf55201071da43b55ac66922e52f80d5a441
Instruction ID: a752549fbaf5f5daf1f58d23bea7a1c62bb8a1ca71e353e2a45c45ddedeb9e92
Opcode Fuzzy Hash: 4f1bacdf424a9fbb1bf897476e5aaf55201071da43b55ac66922e52f80d5a441
Instruction Fuzzy Hash: A8313874A012099FDB14CFA9C9A0FEABBB6FF09300F50406AE905AB341DB70A941CF90

Function 006C31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006C327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006C3287

Strings

Combobox, xrefs: 006C3249

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: ed60da6776c494b70b7a76675d8223e13ffb965ff6cab5e019d647b580810f4c
Instruction ID: cb1bc8deaf4d1a1309293f1fa2d72052f316cd63a908be7764909037fac139b8
Opcode Fuzzy Hash: ed60da6776c494b70b7a76675d8223e13ffb965ff6cab5e019d647b580810f4c
Instruction Fuzzy Hash: 9F11D071200218BFEF219F54DC84FFB376BEB94364F108129F91897390D6399E518760

Function 006C3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0063600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0063604C
Part of subcall function 0063600E: GetStockObject.GDI32(00000011), ref: 00636060
Part of subcall function 0063600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0063606A

GetWindowRect.USER32(00000000,?), ref: 006C377A
GetSysColor.USER32(00000012), ref: 006C3794

Strings

static, xrefs: 006C3757

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7d1388197c90dba0fa1f5a61cb71b5e30964ccf7cd5b77ef77a33d9140c730e5
Instruction ID: 46ceb304312b864c252ea539a538b802038ad2dcc0af9b3d5267366c6b64c201
Opcode Fuzzy Hash: 7d1388197c90dba0fa1f5a61cb71b5e30964ccf7cd5b77ef77a33d9140c730e5
Instruction Fuzzy Hash: C41129B2610219AFDB01DFA8CC4AEFA7BB9EB09314F008518F955E2250D735E9519B64

Function 006ACD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006ACD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006ACDA6

Strings

<local>, xrefs: 006ACD66

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: b9d782a1a87f1f244a82c01a5206a26ea70dfef38515552063f4634aaa13beaf
Instruction ID: fdd36a40b1ed88c68f007da3d8de6a63243b90e478bab0cfa2519c315d477541
Opcode Fuzzy Hash: b9d782a1a87f1f244a82c01a5206a26ea70dfef38515552063f4634aaa13beaf
Instruction Fuzzy Hash: 1811A071205635BAD7286B668C49EF7BEAAEF537B4F00422AB11982280D7609C41DAF0

Function 006C3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006C34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006C34BA

Strings

edit, xrefs: 006C348F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: de871236927d75a7802b0ba678ee1c3c8af3e9f6948ca80ad2157a8ebc5eeca2
Instruction ID: 462a0bda692503b37f28cf95d772b1e7de9cdff52bd58374aa8e005a6b718c12
Opcode Fuzzy Hash: de871236927d75a7802b0ba678ee1c3c8af3e9f6948ca80ad2157a8ebc5eeca2
Instruction Fuzzy Hash: 2B115871500218AAEB268F64DC84FFA36ABEB05374F50C328F965933E0C775DD519B64

Function 00696C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

CharUpperBuffW.USER32(?,?,?), ref: 00696CB6
_wcslen.LIBCMT ref: 00696CC2

Strings

STOP, xrefs: 00696CBC, 00696CC1

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 0c7358471dbe0969f17b69dbb7df281422c70f3caf95b6197cfd0af8e823c6f0
Instruction ID: e00341d528a6a1816d364826b91701d5f17d62cf06cda77a837d54cb125ba302
Opcode Fuzzy Hash: 0c7358471dbe0969f17b69dbb7df281422c70f3caf95b6197cfd0af8e823c6f0
Instruction Fuzzy Hash: 8801C432A146268ACF219FBDDC819FF77BBEE61710B110529F86296690EA31D944C690

Function 00691CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Part of subcall function 00693CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00693CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00691D4C

Strings

ComboBox, xrefs: 00691CEB
ListBox, xrefs: 00691D16

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 031fc88211255c10774b0742581b45d4dcd68b61af1a8cfe9c0de292d8746678
Instruction ID: 1f3dccefaaafbb6025980e3e3f65593932d963b0959bb68d1f294a4508d6d8e7
Opcode Fuzzy Hash: 031fc88211255c10774b0742581b45d4dcd68b61af1a8cfe9c0de292d8746678
Instruction Fuzzy Hash: 9E01B571601219AB8F08EBA4CD55CFE776EEF47360B14091DE8225B7C1EA70590C8AA0

Function 00691BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Part of subcall function 00693CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00693CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00691C46

Strings

ComboBox, xrefs: 00691BE5
ListBox, xrefs: 00691C10

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0f3c481fe57f7acc517b5e4dda867ddb66d3f15425ec47de8d0b43c1c139d02d
Instruction ID: 1dd202d2f2462897c94a6754dc24f6599000273ee71fd1e6c23a0e167098d548
Opcode Fuzzy Hash: 0f3c481fe57f7acc517b5e4dda867ddb66d3f15425ec47de8d0b43c1c139d02d
Instruction Fuzzy Hash: 6E01F771684109A6CF08EB90CA51DFF77AE9F12340F20001DB506A7681EA749E08C6B5

Function 00691C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Part of subcall function 00693CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00693CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00691CC8

Strings

ComboBox, xrefs: 00691C69
ListBox, xrefs: 00691C94

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 47216093c2ec921f69f38c8f74059dfdedf27d9863981f6d3788c76e3a4d67e9
Instruction ID: 676ec174be88f53bec81d45a95a755c7cb25ddd6be3e70ad5872727b5475768a
Opcode Fuzzy Hash: 47216093c2ec921f69f38c8f74059dfdedf27d9863981f6d3788c76e3a4d67e9
Instruction Fuzzy Hash: 7201F975780119A7CF04EBA0CB11EFF77AE9F12340F64041AB902B7781EAA49F08C6B5

Function 0064A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0064A529

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Strings

3yh, xrefs: 0064A545, 0064A54D, 0064A552
,%p, xrefs: 0064A509

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%p$3yh
API String ID: 2551934079-2402005161
Opcode ID: 14bd141e4d6d58ba0c983e55054aa0fd7e9ca3151c19f38af07353ce5a4ee29d
Instruction ID: ad2cccccb20f97b27d83eaba50953a2266495095da6710d0c18ca4a2303310b9
Opcode Fuzzy Hash: 14bd141e4d6d58ba0c983e55054aa0fd7e9ca3151c19f38af07353ce5a4ee29d
Instruction Fuzzy Hash: 18017B32780610A7C708F3A8DD1BAAD3397DB06720F00016CF5065B2C3DE509D068ADF

Function 00691D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00639CB3: _wcslen.LIBCMT ref: 00639CBD

Part of subcall function 00693CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00693CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00691DD3

Strings

ComboBox, xrefs: 00691D75
ListBox, xrefs: 00691DA0

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a279f41097d343bb4fe7b6b06ef417fd83ea4272c71d7c8d134fe7cf91687795
Instruction ID: cd4589baa5e89141154c8ebd76335e1f6a74e0591bf7319a7236c91b0144ab9f
Opcode Fuzzy Hash: a279f41097d343bb4fe7b6b06ef417fd83ea4272c71d7c8d134fe7cf91687795
Instruction Fuzzy Hash: 18F0A475A4121966DF08E7A4CD52EFE777EAF02350F140919B922A76C1DAB0590C8AB4

Function 006C8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00703018,0070305C), ref: 006C81BF
CloseHandle.KERNEL32 ref: 006C81D1

Strings

\0p, xrefs: 006C818A

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0p
API String ID: 3712363035-363088137
Opcode ID: 2ca65fb3f8e70bcc92879bab7bb6d0a86f702a34f6276347ebdf6fcc2be40295
Instruction ID: 49cf328b612d3b0da2fca015b3c65d22e1ca3ef1e1337dd9d1500609f6ce5897
Opcode Fuzzy Hash: 2ca65fb3f8e70bcc92879bab7bb6d0a86f702a34f6276347ebdf6fcc2be40295
Instruction Fuzzy Hash: DEF03AB1641300FAF3206765AC49FB73A9EEB05751F008465BA0CD61A2DA6A8A0482E8

Function 006B747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 006B7493
_wcslen.LIBCMT ref: 006B74B9

Strings

3, 3, 16, 1, xrefs: 006B7483

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 03f55da484aaffd3fe21910d021e4148dfdd5b9ec42675d1f4e7a5ceeb183f03
Instruction ID: 81bc1d5286103a452d24a2c6722246be743bab11eaa6e962248841fbe2c44083
Opcode Fuzzy Hash: 03f55da484aaffd3fe21910d021e4148dfdd5b9ec42675d1f4e7a5ceeb183f03
Instruction Fuzzy Hash: 8AE02B4260422020927112799CC29FF57CBCFC5753B10182FFD81C2366EE948DD193E4

Function 00690B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00690B23

Strings

AutoIt, xrefs: 00690B17
Error allocating memory., xrefs: 00690B1C

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: dd1b93a42a6301a2675d94c361a55fa8e1c852ea93432be537bfd4995824f5c0
Instruction ID: 98e20eb65bbf7d5deae9e07820590d7d48fd774ea98822c4afa36868b98e06e5
Opcode Fuzzy Hash: dd1b93a42a6301a2675d94c361a55fa8e1c852ea93432be537bfd4995824f5c0
Instruction Fuzzy Hash: 78E04F322843583AD3543B94BC07FD97A8BCF05B65F10446EFB9C959C38AE268A056ED

Function 00650D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0064F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00650D71,?,?,?,0063100A), ref: 0064F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0063100A), ref: 00650D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0063100A), ref: 00650D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00650D7F

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 7d756b605c935286ea42047c39a707b24609a9a6d423259630b3986af14c0d82
Instruction ID: f95792aa6bc30a5def0b53ef434b3120caa33ad148038ca738accb69551b9215
Opcode Fuzzy Hash: 7d756b605c935286ea42047c39a707b24609a9a6d423259630b3986af14c0d82
Instruction Fuzzy Hash: F8E06D702003418BE3609FB8E804B52BBF3EF04741F008A2DE886C6651DBB9E4488B91

Function 0064E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0064E3D5

Strings

0%p, xrefs: 0064E3B5
8%p, xrefs: 0064E3CA

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%p$8%p
API String ID: 1385522511-643965948
Opcode ID: f03c8cb203379490ee383faa9ab61310f0bfab51a0741007bd94398f54b8d215
Instruction ID: 8be8b12b68ab434a54751452993ae06da86390889da327d4b36e1ae0b3d671a6
Opcode Fuzzy Hash: f03c8cb203379490ee383faa9ab61310f0bfab51a0741007bd94398f54b8d215
Instruction Fuzzy Hash: 5EE0DF32408910CBCB079B18BC5CA883397BB04320F1042F8E502872D3DF396843865D

Function 006A3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 006A302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 006A3044

Strings

aut, xrefs: 006A3038

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ee42d4edd35fc0bb3c360422f9d0f53892645938e7f9035ca51c3719982794bd
Instruction ID: 797aaea68461ce2e1f98438b82be87e6d6900bbd9b8c1a12ca84163d848ed65a
Opcode Fuzzy Hash: ee42d4edd35fc0bb3c360422f9d0f53892645938e7f9035ca51c3719982794bd
Instruction Fuzzy Hash: 5DD05E7250032867DB20E7A4AC0EFEB3A6CDB04760F0002A1B659E20A1DAB49A84CAD0

Function 0068D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0068D220

Strings

%.3d, xrefs: 0068D22B
X64, xrefs: 0068D2A8

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 6ca6b55ad85e076b2e0e8212d1229d42c61bf1b03ba02551f4ecf4aa133faf23
Instruction ID: 6d6c1506e4ab50e8b47750e348b9e99c0c3c099dc2a93ea21e2b95a1e5a0ec4f
Opcode Fuzzy Hash: 6ca6b55ad85e076b2e0e8212d1229d42c61bf1b03ba02551f4ecf4aa133faf23
Instruction Fuzzy Hash: 22D01261C08108F9CB90A7D0DC59CB9B37FEB18301F508552FA06A2080D624C70A6771

Function 006C2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006C236C
PostMessageW.USER32(00000000), ref: 006C2373

Part of subcall function 0069E97B: Sleep.KERNEL32 ref: 0069E9F3

Strings

Shell_TrayWnd, xrefs: 006C2365

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: ced91bb7898d60cf54f9a041e024cb177e403d7b4991ca6ed158ec356c52d464
Instruction ID: e6c102ee4a171d77ce46e68e23c3ba7b1b0d05619ff61cbf858fc9f8a3b831e6
Opcode Fuzzy Hash: ced91bb7898d60cf54f9a041e024cb177e403d7b4991ca6ed158ec356c52d464
Instruction Fuzzy Hash: B5D0C9327813107AE6A4B771DC0FFD6661A9B04B24F41591AB74AEA1D0C9A5A8018A58

Function 006C2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006C232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006C233F

Part of subcall function 0069E97B: Sleep.KERNEL32 ref: 0069E9F3

Strings

Shell_TrayWnd, xrefs: 006C2325

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 27d0485336d071c785c834f50931a9cbea697d378de927f4b3d9c61e8013291b
Instruction ID: f092aa2d31d8191c396092296eea43bbfa7b530bf195eabc896d7c89a55b421e
Opcode Fuzzy Hash: 27d0485336d071c785c834f50931a9cbea697d378de927f4b3d9c61e8013291b
Instruction Fuzzy Hash: 83D01236794310B7E7A4B771DC0FFE67A1A9B00B24F01591AB74AEA1D0C9F5A801CB54

Function 0066BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0066BE93
GetLastError.KERNEL32 ref: 0066BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0066BEFC

Memory Dump Source

Source File: 00000000.00000002.1482689804.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.1482599318.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006CC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482813508.00000000006F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1482893414.00000000006FC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1483060794.0000000000704000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 34d95577b3b617b8e3f25b4d7858bb3c885f0cbd48d0a7b2aa2a7ca62fdfb667
Instruction ID: 5701fe99abf79964a85493bbb1c67b226b5e9820d0feb0eb6a4c47cbd2364c09
Opcode Fuzzy Hash: 34d95577b3b617b8e3f25b4d7858bb3c885f0cbd48d0a7b2aa2a7ca62fdfb667
Instruction Fuzzy Hash: D041D435600246EFCF218FA5CC54AFA7BA7AF41360F14A169F959D72B1DB318D81CB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49739
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.8:49757

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1633819213.000002796938D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1585589170.0000027960A68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1602387978.000002796190E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584783564.0000027961908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1581065052.00000279656A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598223394.00000279656A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596707093.00000279659E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1581065052.00000279656A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598223394.00000279656A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596707093.00000279659E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1633819213.000002796938D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1624213610.000002795E977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1614316827.000002795E969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1602387978.000002796190E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584783564.0000027961908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1581065052.00000279656A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598223394.00000279656A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596707093.00000279659E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1581065052.00000279656A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1598223394.00000279656A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1596707093.00000279659E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2669289175.000001609B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2668648240.000001546150C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2669289175.000001609B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2668648240.000001546150C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000E.00000003.1622608234.000002795F733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2669289175.000001609B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2668648240.000001546150C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000002.2668648240.000001546150C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/bkF equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000002.2668648240.000001546150C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/bkF equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000002.2668648240.000001546150C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/bkF equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1548949597.00000279697E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1617678279.00000279697EE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1590454597.00000279697E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://89c83477-7a1a-4f5a-bda8-ef3858d4c7d0/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1633819213.000002796938D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616769969.000002795977F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1621184968.000002795FDF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1602387978.000002796190E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1616769969.000002795977F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1584783564.0000027961908000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1621184968.000002795FDF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1606378007.000002795FDC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1624213610.000002795E977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1614316827.000002795E969000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.8:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.8:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.8:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.8:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.8:49765 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cc230076-38a8-472f-b173-930f501e89ad.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_cc230076-38a8-472f-b173-930f501e89ad.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre