Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1560428
MD5:	7fa8aa5776c44304def2ed20c16d29ec
SHA1:	0fc5106137c34600f7bbb963a6c73b3f4911f1a3
SHA256:	69a5b88b0132f61fcd531761b93e11ee2d8a53228431b295c6827f314fd47dbd
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7296 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7FA8AA5776C44304DEF2ED20C16D29EC)

taskkill.exe (PID: 7376 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7492 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7548 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7648 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7712 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7780 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7816 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7832 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8068 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {465c8df0-a64e-4b21-968c-39594786de50} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d06c36fb10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7352 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -parentBuildID 20230927232528 -prefsHandle 2656 -prefMapHandle 3760 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0863c1-3657-4b0c-badb-c22f4c5a2e62} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d07e575510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5840 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c2582b2-479c-4318-ba99-be399e3cb30c} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d07d417710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7296	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 5_2_003BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_003BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_003BED6A

Source: C:\Users\user\Desktop\file.exe

5_2_003BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

5_2_003AAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

5_2_003D9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000005.00000000.1277567783.0000000000402000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_9b63d4b0-2
Source: file.exe, 00000005.00000000.1277567783.0000000000402000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5408fb4b-2
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cf04c0db-2
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ceb42f9a-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000021DCB579472 NtQuerySystemInformation,		24_2_0000021DCB579472
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000021DCB572EF7 NtQuerySystemInformation,		24_2_0000021DCB572EF7

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

5_2_003AD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

5_2_003A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

5_2_003AE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0034BF40	5_2_0034BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00348060	5_2_00348060
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003B2046	5_2_003B2046
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003A8298	5_2_003A8298
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0037E4FF	5_2_0037E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0037676B	5_2_0037676B
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003D4873	5_2_003D4873
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0036CAA0	5_2_0036CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0034CAF0	5_2_0034CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0035CC39	5_2_0035CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00376DD9	5_2_00376DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0035B119	5_2_0035B119
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003491C0	5_2_003491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00361394	5_2_00361394
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00361706	5_2_00361706
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0036781B	5_2_0036781B
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00347920	5_2_00347920
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0035997D	5_2_0035997D
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003619B0	5_2_003619B0
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00367A4A	5_2_00367A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00361C77	5_2_00361C77
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00367CA7	5_2_00367CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003CBE44	5_2_003CBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00379EEE	5_2_00379EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00361F32	5_2_00361F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000021DCB579472	24_2_0000021DCB579472
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000021DCB572EF7	24_2_0000021DCB572EF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000021DCB579B9C	24_2_0000021DCB579B9C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000021DCB5794B2	24_2_0000021DCB5794B2

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00360A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0035F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00349CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@68/12

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003B37B5 GetLastError,FormatMessageW,

5_2_003B37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003A10BF AdjustTokenPrivileges,CloseHandle,		5_2_003A10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		5_2_003A16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

5_2_003B51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003AD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_003AD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

5_2_003B648E

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

5_2_003442A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000014.00000003.1529330206.000002D07C5D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1488759073.000002D07FDBA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 00000014.00000003.1536360940.000002D0846F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1512825035.000002D0846F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1508631273.000002D0846F3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE moz_places SET foreign_count = foreign_count + 1 WHERE id = NEW.place_id;

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {465c8df0-a64e-4b21-968c-39594786de50} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d06c36fb10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -parentBuildID 20230927232528 -prefsHandle 2656 -prefMapHandle 3760 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0863c1-3657-4b0c-badb-c22f4c5a2e62} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d07e575510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c2582b2-479c-4318-ba99-be399e3cb30c} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d07d417710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {465c8df0-a64e-4b21-968c-39594786de50} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d06c36fb10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -parentBuildID 20230927232528 -prefsHandle 2656 -prefMapHandle 3760 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0863c1-3657-4b0c-badb-c22f4c5a2e62} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d07e575510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c2582b2-479c-4318-ba99-be399e3cb30c} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d07d417710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 00000014.00000003.1518733386.000002D089101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.20.dr
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000014.00000003.1438770509.000002D07BE13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.20.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 00000014.00000003.1518733386.000002D089101000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000014.00000003.1438770509.000002D07BE13000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_003442DE

Source: gmpopenh264.dll.tmp.20.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00360A76 push ecx; ret

5_2_00360A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0035F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		5_2_0035F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		5_2_003D1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_5-96630

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 24_2_0000021DCB579472 rdtsc

24_2_0000021DCB579472

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	5_2_003ADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0037C2A2 FindFirstFileExW,	5_2_0037C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003B68EE FindFirstFileW,FindClose,	5_2_003B68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	5_2_003B698F
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_003AD076
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_003AD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_003B9642
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_003B979D
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_003B9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003B5C97 FindFirstFileW,FindNextFileW,FindClose,	5_2_003B5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_003442DE

Source: firefox.exe, 00000016.00000002.2542588438.0000013463400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
Source: firefox.exe, 00000016.00000002.2542588438.0000013463400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllr
Source: firefox.exe, 00000016.00000002.2542588438.0000013463400000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2536652745.0000013462F2A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2535957644.0000021DCAC2A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2541756877.0000021DCB460000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2541435044.000002439FFD0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2536643226.000002439FBEA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000016.00000002.2541569325.000001346331E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000016.00000002.2542588438.0000013463400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: firefox.exe, 00000018.00000002.2541756877.0000021DCB460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: firefox.exe, 00000018.00000002.2541756877.0000021DCB460000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 24_2_0000021DCB579472 rdtsc

24_2_0000021DCB579472

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003BEAA2 BlockInput,

5_2_003BEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00372622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00372622

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_003442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00364CE8 mov eax, dword ptr fs:[00000030h]

5_2_00364CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

5_2_003A0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00372622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00372622
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_0036083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0036083F
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003609D5 SetUnhandledExceptionFilter,	5_2_003609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_00360C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00360C21

Source: C:\Users\user\Desktop\file.exe

5_2_003A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00382BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_00382BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003AB226 SendInput,keybd_event,

5_2_003AB226

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

5_2_003C22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

5_2_003A0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

5_2_003A1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_00360698 cpuid

5_2_00360698

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

5_2_003B8195

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0039D27A GetUserNameW,

5_2_0039D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_0037B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

5_2_0037B952

Source: C:\Users\user\Desktop\file.exe

Code function: 5_2_003442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_003442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7296, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7296, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		5_2_003C1204
Source: C:\Users\user\Desktop\file.exe	Code function: 5_2_003C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		5_2_003C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.193	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.206	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.65.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 00000014.00000003.1520142783.000002D07FC95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1542165307.000002D07E741000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2538361822.0000021DCAFC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2537801840.000002439FEC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 00000014.00000003.1525934891.000002D07D430000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://datastudio.google.com/embed/reporting/	firefox.exe, 00000014.00000003.1398894420.000002D07DD26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1535975205.000002D084F17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1395245319.000002D07DCF8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.mozilla.com0	gmpopenh264.dll.tmp.20.dr	false	high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 00000014.00000003.1443392958.000002D07FF17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1361640958.000002D07FF24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1360515737.000002D07FF24000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000019.00000002.2537801840.000002439FE8F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 00000014.00000003.1536533699.000002D08463F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.leboncoin.fr/	firefox.exe, 00000014.00000003.1537283694.000002D080128000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000014.00000003.1382516477.000002D07FE75000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 00000014.00000003.1488759073.000002D07FDE1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/notes/javascript-escapes#single	firefox.exe, 00000014.00000003.1455403315.000002D088A9E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com	firefox.exe, 00000014.00000003.1527164647.000002D07D409000.00000004.00000800.00020000.00000000.sdmp	false	high
https://completion.amazon.com/search/complete?q=	firefox.exe, 00000014.00000003.1335326982.000002D07A37F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1334678763.000002D07BF00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1335161529.000002D07A360000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1334852232.000002D07A321000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1335014368.000002D07A340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000014.00000003.1524500854.000002D07D6BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1365650327.000002D07CE6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1511130040.000002D07DAFA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 00000014.00000003.1383597179.000002D07FDCB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000014.00000003.1486928059.000002D07FE48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1538429403.000002D07FE48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1530025295.000002D07FE48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1383377417.000002D07FE3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1502858337.000002D07FE48000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000014.00000003.1382516477.000002D07FE75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1382516477.000002D07FE5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1385036399.000002D07D873000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.msn.com	firefox.exe, 00000014.00000003.1514471453.000002D07FD40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1526135425.000002D07FD40000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000014.00000003.1334678763.000002D07BF00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1335161529.000002D07A360000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1334852232.000002D07A321000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1335014368.000002D07A340000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def	firefox.exe, 00000014.00000003.1368785662.000002D07D117000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/	firefox.exe, 00000014.00000003.1550441074.000002D07E597000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1542165307.000002D07E750000.00000004.00000800.00020000.00000000.sdmp	false	high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 00000014.00000003.1536667873.000002D080169000.00000004.00000800.00020000.00000000.sdmp	false	high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 00000014.00000003.1536533699.000002D08463F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 00000014.00000003.1508631273.000002D084686000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000014.00000003.1545518247.000002D087A25000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://api.accounts.firefox.com/v1	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://youtube.com/account?=htb	firefox.exe, 00000019.00000002.2541026103.000002439FFC0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/	firefox.exe, 00000014.00000003.1363694208.000002D080193000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000014.00000003.1486928059.000002D07FE48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1538429403.000002D07FE48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1530025295.000002D07FE48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1383377417.000002D07FE3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1502858337.000002D07FE48000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
http://ocsp.rootca1.amazontrust.com0:	firefox.exe, 00000014.00000003.1528715609.000002D07C940000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1366169253.000002D07C940000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.youtube.com/	firefox.exe, 00000014.00000003.1363694208.000002D080193000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2538361822.0000021DCAF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2537801840.000002439FE0C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 00000014.00000003.1398603372.000002D07DD34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1398853351.000002D07DD32000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 00000014.00000003.1550098064.000002D07E794000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 00000014.00000003.1537283694.000002D080128000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 00000014.00000003.1517321169.000002D07D826000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000014.00000003.1546406507.000002D0801B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2538361822.0000021DCAFC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2537801840.000002439FEC4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://127.0.0.1:	firefox.exe, 00000014.00000003.1490000659.000002D07F780000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 00000014.00000003.1398307553.000002D07DD1B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000014.00000003.1377219987.000002D07D5B6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=htK	firefox.exe, 00000018.00000002.2534922473.0000021DCABE0000.00000004.00000020.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000014.00000003.1535130068.000002D087AAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1545402366.000002D087AC6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 00000014.00000003.1511130040.000002D07DAFA000.00000004.00000800.00020000.00000000.sdmp	false	high
https://youtube.com/account?=	recovery.jsonlz4.tmp.20.dr	false	high
https://shavar.services.mozilla.com/	firefox.exe, 00000014.00000003.1527164647.000002D07D409000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000016.00000002.2538302561.00000134631C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2538361822.0000021DCAFEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2541642920.00000243A0103000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.20.dr	false	high
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 00000014.00000003.1383377417.000002D07FE3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1502858337.000002D07FE48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1486928059.000002D07FE40000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000014.00000003.1382516477.000002D07FE75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1535242693.000002D08509F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2538361822.0000021DCAF12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2537801840.000002439FE13000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1537283694.000002D080128000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	false	high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000014.00000003.1383597179.000002D07FDCB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.0/	firefox.exe, 00000014.00000003.1549875523.000002D07E7B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/MPL/2.0/.	firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1455403315.000002D088A9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1436985223.000002D07D5AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1500637006.000002D07D9BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1425080804.000002D07D5F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1505907506.000002D07ABE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1388852100.000002D07D9E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1480276816.000002D0889A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1539900471.000002D07F7C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543682269.000002D07E6BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1434686207.000002D07DC40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1341503947.000002D07CF5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1339564825.000002D07CF3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1509543141.000002D07FD9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1516129584.000002D07E5D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1436985223.000002D07D599000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1477559633.000002D07DC09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1520142783.000002D07FCDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1490174373.000002D07F759000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1472348318.000002D088A84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1449373429.000002D07D963000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 00000014.00000003.1514471453.000002D07FD40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1526135425.000002D07FD40000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 00000014.00000003.1514471453.000002D07FD40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1526135425.000002D07FD40000.00000004.00000800.00020000.00000000.sdmp	false	high
https://coverage.mozilla.org	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.20.dr	false	high
https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839	firefox.exe, 00000014.00000003.1368785662.000002D07D117000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.zhihu.com/	firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1509250275.000002D07FDE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1488759073.000002D07FDE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1514306764.000002D07FDE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1383597179.000002D07FDCB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 00000014.00000003.1383597179.000002D07FDBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1528715609.000002D07C940000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1488759073.000002D07FDBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1366169253.000002D07C940000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 00000014.00000003.1383597179.000002D07FDBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1528715609.000002D07C940000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1488759073.000002D07FDBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1366169253.000002D07C940000.00000004.00000800.00020000.00000000.sdmp	false	high
http://a9.com/-/spec/opensearch/1.1/	firefox.exe, 00000014.00000003.1549875523.000002D07E7B8000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000014.00000003.1443392958.000002D07FF17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1361640958.000002D07FF24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1360515737.000002D07FF24000.00000004.00000800.00020000.00000000.sdmp	false	high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 00000014.00000003.1538429403.000002D07FE40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1383377417.000002D07FE3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1486928059.000002D07FE40000.00000004.00000800.00020000.00000000.sdmp	false	high
https://profiler.firefox.com	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 00000014.00000003.1337947563.000002D079933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1432796408.000002D079939000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1336771384.000002D079933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1337730797.000002D079921000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 00000014.00000003.1399450377.000002D07DCE6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 00000014.00000003.1516721703.000002D07D87A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mathiasbynens.be/	firefox.exe, 00000014.00000003.1455403315.000002D088A9E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000014.00000003.1364307237.000002D07ED7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1549075201.000002D07ED8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1540027109.000002D07ED7F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 00000014.00000003.1398603372.000002D07DD34000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1398307553.000002D07DD28000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1398853351.000002D07DD32000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000014.00000003.1337947563.000002D079933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1432796408.000002D079939000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1336771384.000002D079933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1337730797.000002D079921000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 00000014.00000003.1517321169.000002D07D826000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000014.00000003.1528317833.000002D07C995000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2537829043.0000013462F90000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2537265427.0000021DCAD70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2537128882.000002439FC20000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560428
Start date and time:	2024-11-21 19:57:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@68/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 35.164.125.63, 35.80.238.59, 52.12.64.98, 172.217.17.78, 88.221.134.209, 88.221.134.155, 172.217.17.42, 172.217.19.202
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:58:19	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.0.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	y.bat	Get hash	malicious	Braodo	Browse	34.117.59.81
	file.exe	Get hash	malicious	Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	http://www.im-creator.com/viewer/vbid-2a496caa-iwgbu2zx/vbid-f9637b78-lok1anrm	Get hash	malicious	Unknown	Browse	151.101.194.137
	https://www.google.com/url?sa=https://r20.rs6.net/tns.jsp?f=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjU1vfA9siJAxVNh_0HHcggMUkQFnoECB0QAQ&url=amp/s/d7TO.ifvxdvrhe.ru%2FDflmD%2F	Get hash	malicious	Unknown	Browse	151.101.2.137
	scam.html	Get hash	malicious	Unknown	Browse	151.101.2.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	https://link.edgepilot.com/s/62feea16/mgkISLmjmE63UVzPYgooJQ?u=https://ameely.com.eg/	Get hash	malicious	Unknown	Browse	151.101.194.137
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b6a5b5f0-dd6d-46d3-aa31-8d0c32189871.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.177291772602178
Encrypted:	false
SSDEEP:	192:pMvMXrnQcbhbVbTbfbRbObtbyEl7n4riJA6unSrDtTkd/S9E:pFccNhnzFSJYrR1nSrDhkd/cE
MD5:	508458B5EB5D515854C4CFA6500C9023
SHA1:	E9B4E004060B4D4EF582AA33447428E6F543CD9B
SHA-256:	B9348BAB8BA253450996E8381C43FC158D399166B69B64F671E8D4419D54D91A
SHA-512:	A548F9847312958B43FAD9236D11210F458198AA7E01A827492914819D0DFBB023F71EC6770CD9287217F8DE921F07003575E8696D9D7EF32BD1E6AF7D041F9F
Malicious:	false
Preview:	{"type":"uninstall","id":"b6a5b5f0-dd6d-46d3-aa31-8d0c32189871","creationDate":"2024-11-21T20:29:24.673Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b6a5b5f0-dd6d-46d3-aa31-8d0c32189871.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.177291772602178
Encrypted:	false
SSDEEP:	192:pMvMXrnQcbhbVbTbfbRbObtbyEl7n4riJA6unSrDtTkd/S9E:pFccNhnzFSJYrR1nSrDhkd/cE
MD5:	508458B5EB5D515854C4CFA6500C9023
SHA1:	E9B4E004060B4D4EF582AA33447428E6F543CD9B
SHA-256:	B9348BAB8BA253450996E8381C43FC158D399166B69B64F671E8D4419D54D91A
SHA-512:	A548F9847312958B43FAD9236D11210F458198AA7E01A827492914819D0DFBB023F71EC6770CD9287217F8DE921F07003575E8696D9D7EF32BD1E6AF7D041F9F
Malicious:	false
Preview:	{"type":"uninstall","id":"b6a5b5f0-dd6d-46d3-aa31-8d0c32189871","creationDate":"2024-11-21T20:29:24.673Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.938354910800545
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBL7H18P:8S+Oc+UAOdwiOdKeQjDLT18P
MD5:	A96E8EF9A8043AA5D9949EA238EDAB83
SHA1:	6ECD9ED4FF76C27BD5FF1C8581591F0459A53715
SHA-256:	6BD19B4C1E65E867204B93C710E16B571D1083C640EEDE7463E9CC1108452B4B
SHA-512:	0B29B40A23F35100E0E2BD70804C0E94DEF9916D92B2381A29D64B1D3A455FE5C3D3D7B6849116E0AC5CF7677C5E0692FF2E17BA25C6A34D7FC974742166D5E5
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.938354910800545
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBL7H18P:8S+Oc+UAOdwiOdKeQjDLT18P
MD5:	A96E8EF9A8043AA5D9949EA238EDAB83
SHA1:	6ECD9ED4FF76C27BD5FF1C8581591F0459A53715
SHA-256:	6BD19B4C1E65E867204B93C710E16B571D1083C640EEDE7463E9CC1108452B4B
SHA-512:	0B29B40A23F35100E0E2BD70804C0E94DEF9916D92B2381A29D64B1D3A455FE5C3D3D7B6849116E0AC5CF7677C5E0692FF2E17BA25C6A34D7FC974742166D5E5
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07320410910008847
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	3DFC678FB8151A9CC3405E9029F950D3
SHA1:	1C01C4E7DB8570AAFF325A3A67B876404D342A1B
SHA-256:	4D03495B0CEB37C3F9E3477C84054409057FC3D9DEB932DF3314D93BD90BE70F
SHA-512:	0C52879A05E0ADAB1D828DA5D0351FDABCCD6F880256824EDDCE4CFAED436F5741A0EA4047059D092D33D23A6F519ADAEE33B87DB33A9576450BCDFA77A16DEB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.034795607256645426
Encrypted:	false
SSDEEP:	3:GtlstFX7wCuCcqHIll3lstFX7wCuCcylltT89//alEl:GtWt1po/3Wt1xZ89XuM
MD5:	EDBD608E9EF42AECC38D121E0A61115A
SHA1:	61DA3BB72433F8F6809F428C85E069D2AA858129
SHA-256:	B549E81C204A9B67A238A909898FF9FE3AF347B5D953951C1EFA631FA7FDF07A
SHA-512:	8C2365D01269F8CFA608E47D6A0D0E2DA837F813E3C85E05109C145B9497893B00C9C7512C738AB7F36CFB0EEA3D13F7869374E324553C615FD8A087330A09D7
Malicious:	false
Preview:	..-..........................q......!j.....ys.....-..........................q......!j.....ys...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.039408741346409225
Encrypted:	false
SSDEEP:	3:Ol1alXEHuQpavIJLuogZqa7l8rEXsxdwhml8XW3R2:K4l4ycLSZqwl8dMhm93w
MD5:	72287B74F70B4F09B5E396635C9DC607
SHA1:	FE3095989105463B04F88C2E091612D72AF697A1
SHA-256:	60BEC6B299454FBA783DEA8C8FE4E5FE0225FF3BD4C85BC83EFA47E136D88351
SHA-512:	1507525727700D1B5F12F3E5464CF3E2A7268684FE328144302BD09E338132E4EAD6BB74C7BE51D072879CFE6FB9AC13E1D21849CA1F3CA8B30A60D8392E0FC3
Malicious:	false
Preview:	7....-..............!j......L..............!j........q.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.4750972681761025
Encrypted:	false
SSDEEP:	192:lcnSRkyYbBp6FqUCaXC6VKVNLY5RHNBw8dQnSl:veyqUxQfUPw90
MD5:	8FAE11A2CB5135A87849FE68453E0367
SHA1:	58B00A230D411826A7A8BC20C7BFFDAED44CF9FD
SHA-256:	937964E886BBFC1BAD27D7C941BB8E02727D3859C43BEC17FE1062C38FE690B1
SHA-512:	AF65DB3107359B27AB7403998E6E75F9599C7655658E764474560C89F45477DF043A2E9D2136D74FF5D17F15593B7B515A70D9C209698076E14F4244AB958DD4
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732220934);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732220934);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732220934);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173222

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.4750972681761025
Encrypted:	false
SSDEEP:	192:lcnSRkyYbBp6FqUCaXC6VKVNLY5RHNBw8dQnSl:veyqUxQfUPw90
MD5:	8FAE11A2CB5135A87849FE68453E0367
SHA1:	58B00A230D411826A7A8BC20C7BFFDAED44CF9FD
SHA-256:	937964E886BBFC1BAD27D7C941BB8E02727D3859C43BEC17FE1062C38FE690B1
SHA-512:	AF65DB3107359B27AB7403998E6E75F9599C7655658E764474560C89F45477DF043A2E9D2136D74FF5D17F15593B7B515A70D9C209698076E14F4244AB958DD4
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732220934);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732220934);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732220934);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173222

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1560
Entropy (8bit):	6.330687960395879
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSJLXnIgc/pnxQwRlszT5sKhi0O3eHVVPNZT9amhuj3g2KtOOcUb2mJ:GUpOxEcnR603etZT94lKtedUd
MD5:	2DDB9F82C363BA05C36A97C9966806B1
SHA1:	6042E110850E02556CC153D5B7AA464171DA08CA
SHA-256:	D7BEC81BCDF5390FD95F12E9F54BAB5808F502C9EE98CA624FB41FB8BB9A9FA6
SHA-512:	C97C17B8978A92C69016892DEFCCE0D050CD14F76799806188226F7C72DCE4BB9284398D679E7060A68576052B3B4D83050F0700A06E82BDB7D0299330E11899
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{bfe6cd64-5e0f-465c-b2fd-629d8391c567}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732220941350,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P04198...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...08540,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1560
Entropy (8bit):	6.330687960395879
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSJLXnIgc/pnxQwRlszT5sKhi0O3eHVVPNZT9amhuj3g2KtOOcUb2mJ:GUpOxEcnR603etZT94lKtedUd
MD5:	2DDB9F82C363BA05C36A97C9966806B1
SHA1:	6042E110850E02556CC153D5B7AA464171DA08CA
SHA-256:	D7BEC81BCDF5390FD95F12E9F54BAB5808F502C9EE98CA624FB41FB8BB9A9FA6
SHA-512:	C97C17B8978A92C69016892DEFCCE0D050CD14F76799806188226F7C72DCE4BB9284398D679E7060A68576052B3B4D83050F0700A06E82BDB7D0299330E11899
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{bfe6cd64-5e0f-465c-b2fd-629d8391c567}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732220941350,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P04198...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...08540,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1560
Entropy (8bit):	6.330687960395879
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSJLXnIgc/pnxQwRlszT5sKhi0O3eHVVPNZT9amhuj3g2KtOOcUb2mJ:GUpOxEcnR603etZT94lKtedUd
MD5:	2DDB9F82C363BA05C36A97C9966806B1
SHA1:	6042E110850E02556CC153D5B7AA464171DA08CA
SHA-256:	D7BEC81BCDF5390FD95F12E9F54BAB5808F502C9EE98CA624FB41FB8BB9A9FA6
SHA-512:	C97C17B8978A92C69016892DEFCCE0D050CD14F76799806188226F7C72DCE4BB9284398D679E7060A68576052B3B4D83050F0700A06E82BDB7D0299330E11899
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{bfe6cd64-5e0f-465c-b2fd-629d8391c567}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732220941350,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate.....wtartTim..P04198...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...08540,"originA....

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.035993693738721
Encrypted:	false
SSDEEP:	48:YrSAYR/eUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycR/+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	D1F9AA370B80618F3C846706A66F2937
SHA1:	45690A24226D2FACEF99EA47DFAEE14BFC821645
SHA-256:	3A32E336A32BE246EFFC4FE06386C70B0BC52C42674FCF9A607C127B7D99AED4
SHA-512:	EAFA63CB1925C0D7820FB37FBDD7A9E5483F868FA07A6AFE7DC52C8A61964A164BAA37ECA5082E54E3E2E8545439A72FD1F3F01CD46645C47B0606211034754E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-21T20:28:41.709Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.035993693738721
Encrypted:	false
SSDEEP:	48:YrSAYR/eUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycR/+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	D1F9AA370B80618F3C846706A66F2937
SHA1:	45690A24226D2FACEF99EA47DFAEE14BFC821645
SHA-256:	3A32E336A32BE246EFFC4FE06386C70B0BC52C42674FCF9A607C127B7D99AED4
SHA-512:	EAFA63CB1925C0D7820FB37FBDD7A9E5483F868FA07A6AFE7DC52C8A61964A164BAA37ECA5082E54E3E2E8545439A72FD1F3F01CD46645C47B0606211034754E
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-21T20:28:41.709Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.593979308313441
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	923'136 bytes
MD5:	7fa8aa5776c44304def2ed20c16d29ec
SHA1:	0fc5106137c34600f7bbb963a6c73b3f4911f1a3
SHA256:	69a5b88b0132f61fcd531761b93e11ee2d8a53228431b295c6827f314fd47dbd
SHA512:	6eb521c820d034683a014f4fa998055c339114182512c3241330e5b8a43843b01c478cf8cb8d1e51b767c888da9fbcb8a7ee900287b1d359b7ead2ef6eeb2aa8
SSDEEP:	12288:EqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaQTd:EqDEvCTbMWu7rQYlBQcBiT6rprG8aod
TLSH:	78159E0273D1C062FFAB92334B5AF6515BBC6A260123E61F13981D79BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x673F7E73 [Thu Nov 21 18:39:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F36F4DB32A3h
jmp 00007F36F4DB2BAFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F36F4DB2D8Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F36F4DB2D5Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F36F4DB594Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F36F4DB5998h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F36F4DB5981h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xabe4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xabe4	0xac00	f9877e7a5b0e2c0aca338845976dcba5	False	0.38587845203488375	data	5.693490155403961	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1eaa	data			1.0014012738853504
RT_GROUP_ICON	0xde664	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde6dc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde6f0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde704	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde718	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde7f4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 19:58:16.698741913 CET	49708	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:16.700355053 CET	49709	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:16.700398922 CET	443	49709	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:16.700886011 CET	49710	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:16.700954914 CET	443	49710	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:16.701107025 CET	49711	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:16.701147079 CET	443	49711	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:16.701680899 CET	49709	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:16.701703072 CET	49710	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:16.701725960 CET	49711	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:16.707691908 CET	49709	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:16.707710981 CET	443	49709	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:16.716048956 CET	49710	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:16.716090918 CET	443	49710	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:16.717683077 CET	49711	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:16.717700958 CET	443	49711	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:16.818325043 CET	80	49708	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:16.818994999 CET	49708	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:16.819089890 CET	49708	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:16.938890934 CET	80	49708	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:17.262653112 CET	49712	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:17.262689114 CET	443	49712	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:17.262873888 CET	49713	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:17.262881041 CET	443	49713	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:17.265249968 CET	49712	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:17.265273094 CET	49713	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:17.265427113 CET	49712	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:17.265438080 CET	443	49712	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:17.266988039 CET	49713	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:17.266997099 CET	443	49713	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:17.581273079 CET	49719	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:17.581329107 CET	443	49719	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:17.581531048 CET	49719	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:17.582937002 CET	49719	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:17.582967043 CET	443	49719	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:17.975749016 CET	443	49709	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:17.975986004 CET	49709	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:17.984379053 CET	49709	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:17.984405041 CET	443	49709	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:17.984509945 CET	49709	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:17.984641075 CET	443	49709	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:17.985630035 CET	49709	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:17.997879028 CET	80	49708	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:17.998200893 CET	49708	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:18.079722881 CET	49720	443	192.168.2.7	34.160.144.191
Nov 21, 2024 19:58:18.079829931 CET	443	49720	34.160.144.191	192.168.2.7
Nov 21, 2024 19:58:18.080413103 CET	49720	443	192.168.2.7	34.160.144.191
Nov 21, 2024 19:58:18.080560923 CET	49720	443	192.168.2.7	34.160.144.191
Nov 21, 2024 19:58:18.080595970 CET	443	49720	34.160.144.191	192.168.2.7
Nov 21, 2024 19:58:18.118318081 CET	80	49708	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:18.118403912 CET	49708	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:18.220551014 CET	49721	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:18.220685959 CET	49722	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:18.340948105 CET	80	49721	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:18.341059923 CET	80	49722	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:18.342263937 CET	49721	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:18.342359066 CET	49722	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:18.342550993 CET	49721	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:18.342669010 CET	49722	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:18.462920904 CET	80	49721	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:18.463115931 CET	80	49722	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:18.539793015 CET	443	49710	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:18.540009975 CET	443	49711	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:18.540338039 CET	49710	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.540532112 CET	443	49710	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:18.540575027 CET	49711	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.540728092 CET	443	49711	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:18.542031050 CET	49710	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.542048931 CET	49711	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.547943115 CET	49710	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.547950983 CET	443	49710	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:18.548043013 CET	49710	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.548263073 CET	443	49710	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:18.549698114 CET	49711	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.549731970 CET	443	49711	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:18.549771070 CET	49711	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.549958944 CET	443	49711	142.250.181.142	192.168.2.7
Nov 21, 2024 19:58:18.552433014 CET	443	49712	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:18.562143087 CET	49710	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.562176943 CET	49711	443	192.168.2.7	142.250.181.142
Nov 21, 2024 19:58:18.563353062 CET	443	49712	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:18.563389063 CET	49712	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:18.570410967 CET	443	49713	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:18.577788115 CET	49712	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:18.577806950 CET	49713	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:18.621490002 CET	49712	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:18.621495962 CET	443	49712	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:18.622534990 CET	443	49712	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:18.627970934 CET	49712	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:18.628057003 CET	49712	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:18.628422022 CET	49713	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:18.628432989 CET	443	49713	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:18.628485918 CET	443	49712	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:18.628525019 CET	49713	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:18.629049063 CET	443	49713	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:18.629492044 CET	49712	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:18.629507065 CET	49713	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:18.819602013 CET	443	49719	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:18.819757938 CET	49719	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.121032953 CET	49725	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.121078968 CET	443	49725	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:19.121251106 CET	49725	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.122864008 CET	49725	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.122879028 CET	443	49725	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:19.124124050 CET	49719	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.124150991 CET	443	49719	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:19.124209881 CET	49719	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.124919891 CET	443	49719	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:19.125001907 CET	49719	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.409440041 CET	443	49720	34.160.144.191	192.168.2.7
Nov 21, 2024 19:58:19.409534931 CET	49720	443	192.168.2.7	34.160.144.191
Nov 21, 2024 19:58:19.412971973 CET	49720	443	192.168.2.7	34.160.144.191
Nov 21, 2024 19:58:19.412995100 CET	443	49720	34.160.144.191	192.168.2.7
Nov 21, 2024 19:58:19.413258076 CET	443	49720	34.160.144.191	192.168.2.7
Nov 21, 2024 19:58:19.416203976 CET	49720	443	192.168.2.7	34.160.144.191
Nov 21, 2024 19:58:19.416285038 CET	49720	443	192.168.2.7	34.160.144.191
Nov 21, 2024 19:58:19.416369915 CET	443	49720	34.160.144.191	192.168.2.7
Nov 21, 2024 19:58:19.416429043 CET	49720	443	192.168.2.7	34.160.144.191
Nov 21, 2024 19:58:19.473890066 CET	80	49721	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:19.475991011 CET	80	49722	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:19.527513981 CET	49721	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.604583025 CET	49721	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.604626894 CET	49722	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.685832977 CET	49731	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.685882092 CET	443	49731	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:19.690248013 CET	49731	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.691927910 CET	49731	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:19.691956997 CET	443	49731	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:19.702471018 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.702692986 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.703810930 CET	49734	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:19.703824043 CET	443	49734	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:19.705889940 CET	49734	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:19.707406998 CET	49734	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:19.707420111 CET	443	49734	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:19.725477934 CET	80	49721	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:19.725665092 CET	49721	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.725857019 CET	80	49722	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:19.725924969 CET	49722	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.822040081 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:19.822091103 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:19.822455883 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.822613001 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.822668076 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.822792053 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:19.942085981 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:19.942209005 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:20.439161062 CET	443	49725	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:20.439382076 CET	49725	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.444634914 CET	49725	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.444654942 CET	443	49725	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:20.444725990 CET	49725	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.444787025 CET	443	49725	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:20.444876909 CET	49725	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.747592926 CET	49736	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:20.747664928 CET	443	49736	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:20.760222912 CET	49736	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:20.762255907 CET	49736	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:20.762291908 CET	443	49736	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:20.769330025 CET	49737	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:20.769392014 CET	443	49737	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:20.771847963 CET	49737	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:20.773361921 CET	49737	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:20.773396969 CET	443	49737	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:20.911345959 CET	443	49731	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:20.911462069 CET	49731	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.913914919 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:20.916490078 CET	49731	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.916502953 CET	443	49731	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:20.916589022 CET	49731	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.916657925 CET	443	49731	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:20.916944027 CET	49738	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.916979074 CET	443	49738	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:20.917175055 CET	49731	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.917211056 CET	49738	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.918703079 CET	49738	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:20.918718100 CET	443	49738	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:20.988526106 CET	443	49734	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:20.988629103 CET	49734	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:20.992595911 CET	49734	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:20.992603064 CET	443	49734	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:20.992759943 CET	49734	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:20.992800951 CET	443	49734	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:20.993704081 CET	49734	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:21.001774073 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:21.009747982 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:21.208283901 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:21.998003960 CET	443	49736	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:21.998014927 CET	443	49736	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:21.998079062 CET	49736	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:22.000735044 CET	49736	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:22.000754118 CET	443	49736	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:22.001018047 CET	443	49736	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:22.002979994 CET	49736	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:22.003056049 CET	49736	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:22.003154993 CET	443	49736	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:22.003190041 CET	49736	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:22.003578901 CET	49736	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:22.097301006 CET	443	49737	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:22.097388983 CET	49737	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:22.102540016 CET	49737	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:22.102550983 CET	443	49737	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:22.102607965 CET	49737	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:22.102833986 CET	443	49737	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:22.102894068 CET	49737	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:22.240605116 CET	443	49738	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:22.247334957 CET	443	49738	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:22.247920036 CET	49738	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:22.257565975 CET	49738	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:22.257575035 CET	443	49738	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:22.257668018 CET	49738	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:22.257869959 CET	443	49738	34.117.188.166	192.168.2.7
Nov 21, 2024 19:58:22.258003950 CET	49738	443	192.168.2.7	34.117.188.166
Nov 21, 2024 19:58:22.735176086 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:22.737139940 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:22.815448046 CET	49744	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:22.815542936 CET	443	49744	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:22.828957081 CET	49744	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:22.829227924 CET	49744	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:22.829267025 CET	443	49744	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:22.855511904 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:22.857287884 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:22.876976013 CET	49745	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:22.877028942 CET	443	49745	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:22.877378941 CET	49745	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:22.878814936 CET	49745	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:22.878834963 CET	443	49745	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:23.052202940 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:23.069227934 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:23.098258972 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:23.120413065 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:24.141798973 CET	443	49744	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:24.141836882 CET	443	49744	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:24.141880989 CET	49744	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:24.144002914 CET	443	49745	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:24.144098997 CET	49745	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:24.187139988 CET	49744	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:24.187180042 CET	443	49744	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:24.187520981 CET	443	49744	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:24.192253113 CET	49744	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:24.192333937 CET	49744	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:24.192434072 CET	443	49744	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:24.192765951 CET	49745	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:24.192765951 CET	49745	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:24.192785978 CET	443	49745	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:24.192931890 CET	49744	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:24.192974091 CET	443	49745	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:24.192996025 CET	49744	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:24.193192959 CET	49745	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:27.516515970 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:27.636785984 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:27.717082977 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:27.839236021 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:27.851361990 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:27.904398918 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:28.034275055 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:28.082061052 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:28.314822912 CET	49758	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:28.314867973 CET	443	49758	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:28.325148106 CET	49758	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:28.326822996 CET	49758	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:28.326844931 CET	443	49758	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:29.587435007 CET	443	49758	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:29.587455034 CET	443	49758	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:29.587538958 CET	49758	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.688873053 CET	49758	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.688905954 CET	443	49758	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:29.688978910 CET	49758	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.689248085 CET	443	49758	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:29.692311049 CET	49758	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.710882902 CET	49766	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.710923910 CET	443	49766	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:29.711169958 CET	49767	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.711215973 CET	443	49767	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:29.715281963 CET	49766	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.715415001 CET	49767	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.715447903 CET	49766	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.715460062 CET	443	49766	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:29.715574980 CET	49767	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:29.715585947 CET	443	49767	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:30.948662996 CET	443	49767	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:30.948756933 CET	49767	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.042992115 CET	443	49766	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:31.043066978 CET	49766	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.137013912 CET	49766	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.137042046 CET	443	49766	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:31.137463093 CET	443	49766	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:31.139085054 CET	49767	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.139118910 CET	443	49767	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:31.139445066 CET	443	49767	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:31.142441034 CET	49766	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.142590046 CET	49766	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.142610073 CET	49767	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.142662048 CET	443	49766	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:31.142678976 CET	49767	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.142780066 CET	443	49767	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:31.142792940 CET	49766	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.142867088 CET	49767	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.177465916 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:31.235902071 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:31.237468958 CET	49773	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.237548113 CET	443	49773	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:31.243649960 CET	49773	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.245307922 CET	49773	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:31.245321989 CET	443	49773	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:31.297537088 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:31.303739071 CET	49774	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:31.303776979 CET	443	49774	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:31.307025909 CET	49774	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:31.355459929 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:31.512252092 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:31.550781012 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:31.560117006 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:31.613960981 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:31.876017094 CET	49774	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:31.876092911 CET	443	49774	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:32.551074028 CET	443	49773	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:32.551168919 CET	49773	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:32.598726988 CET	49773	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:32.598793030 CET	443	49773	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:32.598859072 CET	49773	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:32.599025965 CET	443	49773	34.120.208.123	192.168.2.7
Nov 21, 2024 19:58:32.599101067 CET	49773	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:58:32.604430914 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:32.794332981 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:32.974033117 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:33.008335114 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:33.049032927 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:33.093564987 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:33.179362059 CET	443	49774	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:33.179464102 CET	49774	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:33.288501024 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:33.349443913 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:33.932049036 CET	49774	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:33.932075024 CET	443	49774	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:33.932136059 CET	49774	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:33.932326078 CET	443	49774	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:33.932586908 CET	49774	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:35.704771996 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:35.713566065 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:35.824731112 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:35.833266973 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:36.028616905 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:36.029489994 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:36.033200026 CET	49785	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:36.039107084 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:36.039167881 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:36.073395014 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:36.151648045 CET	80	49732	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:36.151711941 CET	49732	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:36.154721975 CET	80	49785	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:36.154819965 CET	49785	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:36.155040026 CET	49785	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:36.277270079 CET	80	49785	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:37.290460110 CET	80	49785	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:37.345935106 CET	49785	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:43.971841097 CET	49800	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:43.971899986 CET	443	49800	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:43.974248886 CET	49800	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:43.977504969 CET	49800	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:43.977536917 CET	443	49800	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:43.994885921 CET	49801	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:43.994932890 CET	443	49801	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:43.998255968 CET	49801	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:43.999742985 CET	49801	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:43.999763966 CET	443	49801	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:44.001018047 CET	49802	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:44.001043081 CET	443	49802	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:44.001204967 CET	49802	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:44.001318932 CET	49802	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:44.001327991 CET	443	49802	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:44.027539015 CET	49803	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:44.027563095 CET	443	49803	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:44.034086943 CET	49803	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:44.035551071 CET	49803	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:44.035562992 CET	443	49803	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:44.366825104 CET	49804	443	192.168.2.7	151.101.193.91
Nov 21, 2024 19:58:44.366856098 CET	443	49804	151.101.193.91	192.168.2.7
Nov 21, 2024 19:58:44.367276907 CET	49804	443	192.168.2.7	151.101.193.91
Nov 21, 2024 19:58:44.367507935 CET	49804	443	192.168.2.7	151.101.193.91
Nov 21, 2024 19:58:44.367521048 CET	443	49804	151.101.193.91	192.168.2.7
Nov 21, 2024 19:58:44.459595919 CET	49805	443	192.168.2.7	35.201.103.21
Nov 21, 2024 19:58:44.459624052 CET	443	49805	35.201.103.21	192.168.2.7
Nov 21, 2024 19:58:44.459933043 CET	49805	443	192.168.2.7	35.201.103.21
Nov 21, 2024 19:58:44.461380959 CET	49805	443	192.168.2.7	35.201.103.21
Nov 21, 2024 19:58:44.461389065 CET	443	49805	35.201.103.21	192.168.2.7
Nov 21, 2024 19:58:45.379570961 CET	443	49802	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:45.379643917 CET	49802	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:45.379872084 CET	443	49801	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:45.379946947 CET	49801	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:45.383141994 CET	49802	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:45.383148909 CET	443	49802	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:45.383410931 CET	443	49802	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:45.388248920 CET	49802	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:45.388354063 CET	49802	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:45.388401985 CET	443	49802	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:45.388488054 CET	49801	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:45.388513088 CET	443	49801	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:45.388565063 CET	49801	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:45.388714075 CET	443	49801	34.107.243.93	192.168.2.7
Nov 21, 2024 19:58:45.389132023 CET	49802	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:45.389153957 CET	49801	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:58:45.393153906 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:45.611933947 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:45.614048004 CET	443	49800	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.614136934 CET	49800	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.614578009 CET	443	49803	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:45.614589930 CET	443	49803	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:45.614689112 CET	49803	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:45.617486000 CET	49800	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.617496014 CET	443	49800	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.617763996 CET	443	49800	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.622579098 CET	49800	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.622689009 CET	49800	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.622833967 CET	443	49800	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.622951984 CET	49803	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:45.622957945 CET	443	49803	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:45.623006105 CET	49803	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:45.623147964 CET	443	49803	35.190.72.216	192.168.2.7
Nov 21, 2024 19:58:45.623224974 CET	49800	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.623230934 CET	49803	443	192.168.2.7	35.190.72.216
Nov 21, 2024 19:58:45.717938900 CET	443	49804	151.101.193.91	192.168.2.7
Nov 21, 2024 19:58:45.718053102 CET	49804	443	192.168.2.7	151.101.193.91
Nov 21, 2024 19:58:45.721643925 CET	49804	443	192.168.2.7	151.101.193.91
Nov 21, 2024 19:58:45.721656084 CET	443	49804	151.101.193.91	192.168.2.7
Nov 21, 2024 19:58:45.721908092 CET	443	49804	151.101.193.91	192.168.2.7
Nov 21, 2024 19:58:45.724530935 CET	49804	443	192.168.2.7	151.101.193.91
Nov 21, 2024 19:58:45.724628925 CET	49804	443	192.168.2.7	151.101.193.91
Nov 21, 2024 19:58:45.724673986 CET	443	49804	151.101.193.91	192.168.2.7
Nov 21, 2024 19:58:45.724775076 CET	49804	443	192.168.2.7	151.101.193.91
Nov 21, 2024 19:58:45.726255894 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:45.734673977 CET	49811	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.734730005 CET	443	49811	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.735363007 CET	49811	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.735513926 CET	49811	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.735531092 CET	443	49811	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.737670898 CET	49812	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.737701893 CET	443	49812	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.740044117 CET	49813	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.740072966 CET	443	49813	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.741744041 CET	49785	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:45.741878986 CET	443	49805	35.201.103.21	192.168.2.7
Nov 21, 2024 19:58:45.744805098 CET	49813	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.744816065 CET	49812	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.744841099 CET	49805	443	192.168.2.7	35.201.103.21
Nov 21, 2024 19:58:45.747391939 CET	49812	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.747405052 CET	443	49812	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.747438908 CET	49813	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:45.747462034 CET	443	49813	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:45.749659061 CET	49805	443	192.168.2.7	35.201.103.21
Nov 21, 2024 19:58:45.749680996 CET	443	49805	35.201.103.21	192.168.2.7
Nov 21, 2024 19:58:45.749716043 CET	49805	443	192.168.2.7	35.201.103.21
Nov 21, 2024 19:58:45.749979019 CET	443	49805	35.201.103.21	192.168.2.7
Nov 21, 2024 19:58:45.750894070 CET	49805	443	192.168.2.7	35.201.103.21
Nov 21, 2024 19:58:45.752799988 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:45.755191088 CET	49814	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:45.755223989 CET	443	49814	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:45.755585909 CET	49814	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:45.755731106 CET	49814	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:45.755748987 CET	443	49814	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:45.864855051 CET	80	49785	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:45.876126051 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:46.068934917 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:46.070878983 CET	49785	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:46.074250937 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:46.074515104 CET	80	49785	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:46.074681997 CET	49785	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:46.114629030 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:46.208492994 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:46.208592892 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:46.208786011 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:46.349102974 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:47.055354118 CET	443	49811	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.055438995 CET	49811	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.058475971 CET	49811	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.058490038 CET	443	49811	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.058845997 CET	443	49811	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.060233116 CET	443	49812	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.060245991 CET	443	49812	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.060343027 CET	49812	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.062153101 CET	443	49814	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:47.062288046 CET	443	49813	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.062688112 CET	49812	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.062699080 CET	443	49812	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.062868118 CET	49814	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:47.062925100 CET	49813	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.062930107 CET	443	49812	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.065943003 CET	49814	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:47.065958023 CET	443	49814	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:47.066229105 CET	443	49814	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:47.068376064 CET	49813	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.068382025 CET	443	49813	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.068703890 CET	443	49813	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.069926977 CET	49811	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.070034027 CET	49811	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.070116043 CET	443	49811	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.070671082 CET	49811	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.074858904 CET	49812	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.074928999 CET	49812	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.075030088 CET	443	49812	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.075640917 CET	49814	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:47.075732946 CET	49814	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:47.075793982 CET	443	49814	34.149.100.209	192.168.2.7
Nov 21, 2024 19:58:47.075826883 CET	49813	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.075901031 CET	49813	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.075984001 CET	443	49813	35.244.181.201	192.168.2.7
Nov 21, 2024 19:58:47.077020884 CET	49814	443	192.168.2.7	34.149.100.209
Nov 21, 2024 19:58:47.077028036 CET	49812	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.077056885 CET	49813	443	192.168.2.7	35.244.181.201
Nov 21, 2024 19:58:47.080956936 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:47.214941978 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:47.342667103 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:47.387156963 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:47.411345959 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:47.414735079 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:47.471796036 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:47.535288095 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:47.739737034 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:47.788310051 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:56.940017939 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:57.066513062 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:57.261846066 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:57.265984058 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:57.316092968 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:58:57.386130095 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:57.608527899 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:58:57.663826942 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:05.543159008 CET	49861	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:05.543196917 CET	443	49861	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:05.543570995 CET	49861	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:05.545008898 CET	49861	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:05.545028925 CET	443	49861	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:06.855622053 CET	443	49861	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:06.855772018 CET	49861	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:06.860431910 CET	49861	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:06.860447884 CET	443	49861	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:06.860526085 CET	49861	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:06.860702991 CET	443	49861	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:06.861629963 CET	49861	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:06.863646030 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:06.983448982 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:07.178546906 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:07.181797028 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:07.221885920 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:07.301430941 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:07.506139040 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:07.558883905 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:14.161458015 CET	49879	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.161489964 CET	443	49879	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.161552906 CET	49880	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.161602974 CET	443	49880	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.161690950 CET	49881	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.161734104 CET	443	49881	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.161806107 CET	49882	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.161817074 CET	443	49882	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.161931992 CET	49883	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.161942005 CET	443	49883	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.162081003 CET	49884	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162180901 CET	443	49884	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.162194014 CET	49879	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162195921 CET	49880	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162214041 CET	49881	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162214041 CET	49883	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162225962 CET	49882	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162377119 CET	49879	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162389040 CET	443	49879	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.162498951 CET	49883	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162508965 CET	443	49883	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.162554979 CET	49882	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162576914 CET	443	49882	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.162620068 CET	49881	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162626982 CET	443	49881	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.162678957 CET	49880	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.162692070 CET	443	49880	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:14.165637016 CET	49884	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.165824890 CET	49884	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:14.165864944 CET	443	49884	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.383846998 CET	443	49879	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.383930922 CET	49879	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.387434006 CET	49879	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.387439966 CET	443	49879	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.387681007 CET	443	49879	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.390604019 CET	49879	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.390727997 CET	49879	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.390744925 CET	443	49879	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.391225100 CET	49886	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.391297102 CET	443	49886	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.394768953 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:15.395329952 CET	49879	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.395400047 CET	49886	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.395673037 CET	49886	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.395710945 CET	443	49886	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.427194118 CET	443	49880	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.427285910 CET	49880	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.430152893 CET	49880	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.430169106 CET	443	49880	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.430448055 CET	443	49880	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.432432890 CET	49880	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.432559967 CET	49880	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.432651043 CET	443	49880	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.432982922 CET	49887	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.433008909 CET	443	49887	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.433075905 CET	49880	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.433089018 CET	49887	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.433109999 CET	443	49881	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.433257103 CET	49887	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.433269978 CET	443	49887	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.433387995 CET	49881	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.436018944 CET	443	49883	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.436239004 CET	49881	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.436249971 CET	443	49881	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.436331034 CET	443	49882	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.436431885 CET	49883	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.436916113 CET	443	49881	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.436956882 CET	49882	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.438715935 CET	49883	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.438721895 CET	443	49883	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.439110994 CET	443	49883	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.440903902 CET	49882	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.440916061 CET	443	49882	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.441205978 CET	443	49882	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.444411993 CET	49881	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.444593906 CET	443	49881	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.444742918 CET	49881	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.444751024 CET	443	49881	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.445053101 CET	49883	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.445302010 CET	443	49883	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.445384026 CET	49883	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.445390940 CET	443	49883	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.445851088 CET	49882	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.445928097 CET	49882	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.446089983 CET	49881	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.446248055 CET	443	49882	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.446325064 CET	49882	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.533792973 CET	443	49884	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.534151077 CET	49884	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.537087917 CET	49884	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.537096977 CET	443	49884	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.537535906 CET	443	49884	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.539226055 CET	49884	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.539345980 CET	49884	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.539367914 CET	443	49884	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.539514065 CET	49884	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.579931974 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:15.651362896 CET	443	49883	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:15.653486967 CET	49883	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:15.795069933 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:15.799671888 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:15.843513966 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:15.919226885 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:16.136395931 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:16.182286024 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:16.781194925 CET	443	49887	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:16.781336069 CET	49887	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.784054041 CET	443	49886	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:16.785482883 CET	49887	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.785500050 CET	443	49887	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:16.785770893 CET	49886	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.785849094 CET	443	49887	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:16.789139032 CET	49886	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.789165974 CET	443	49886	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:16.789453983 CET	443	49886	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:16.793167114 CET	49887	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.793329954 CET	49887	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.793369055 CET	443	49887	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:16.793670893 CET	49886	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.793751001 CET	49886	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.793826103 CET	443	49886	34.120.208.123	192.168.2.7
Nov 21, 2024 19:59:16.795840979 CET	49887	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.796056032 CET	49886	443	192.168.2.7	34.120.208.123
Nov 21, 2024 19:59:16.796242952 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:16.915745020 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:17.114115000 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:17.117903948 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:17.169199944 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:17.237396955 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:17.442591906 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:17.485734940 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:27.119956970 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:27.239584923 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:27.452033043 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:27.571604967 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:37.248059988 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:37.370464087 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:37.580239058 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:37.700653076 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:47.376651049 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:47.496268034 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:47.708744049 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:47.828705072 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:47.999986887 CET	49889	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:48.000025034 CET	443	49889	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:48.000555038 CET	49889	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:48.002264023 CET	49889	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:48.002290964 CET	443	49889	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:49.268296003 CET	443	49889	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:49.270263910 CET	49889	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:49.275702000 CET	49889	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:49.275717020 CET	443	49889	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:49.275800943 CET	49889	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:49.275901079 CET	443	49889	34.107.243.93	192.168.2.7
Nov 21, 2024 19:59:49.276144981 CET	49889	443	192.168.2.7	34.107.243.93
Nov 21, 2024 19:59:49.278661013 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:49.398133039 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:49.607856035 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:49.611534119 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:49.652235985 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:49.731231928 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:49.936897039 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:49.984283924 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:59.611618042 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 19:59:59.731492996 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 19:59:59.943873882 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 20:00:00.063493967 CET	80	49815	34.107.221.82	192.168.2.7
Nov 21, 2024 20:00:09.740278959 CET	49733	80	192.168.2.7	34.107.221.82
Nov 21, 2024 20:00:09.859847069 CET	80	49733	34.107.221.82	192.168.2.7
Nov 21, 2024 20:00:10.072367907 CET	49815	80	192.168.2.7	34.107.221.82
Nov 21, 2024 20:00:10.191910982 CET	80	49815	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 19:58:16.558748007 CET	63281	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:16.558856964 CET	63709	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:16.696854115 CET	53	63709	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:16.699358940 CET	53014	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:16.703926086 CET	54413	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:16.704719067 CET	54948	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:16.837105036 CET	53	53014	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:16.841564894 CET	53	54948	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:16.844341993 CET	57797	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:16.844799042 CET	61607	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:16.919569969 CET	54727	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:16.982213974 CET	53	57797	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:16.982785940 CET	53	61607	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.057672024 CET	53	54727	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.213501930 CET	53	54413	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.215240002 CET	65169	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:17.263398886 CET	53746	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:17.263664007 CET	51582	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:17.355266094 CET	53	65169	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.425844908 CET	53	51582	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.426585913 CET	53	53746	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.426831961 CET	50706	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:17.427154064 CET	54237	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:17.438064098 CET	58935	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:17.564444065 CET	53	50706	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.564780951 CET	53	54237	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.579957962 CET	53	58935	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.581482887 CET	62960	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:17.720558882 CET	53	62960	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.748164892 CET	54360	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:17.887232065 CET	53	54360	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:17.932578087 CET	59587	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.005755901 CET	63946	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.006297112 CET	57626	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.072770119 CET	53	59587	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:18.073167086 CET	51329	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.075057983 CET	56808	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.081032991 CET	50354	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.145463943 CET	53	57626	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:18.147289991 CET	53	63946	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:18.178400993 CET	58623	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.228264093 CET	53	50354	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:18.228970051 CET	53899	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.316747904 CET	53	58623	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:18.320919991 CET	52627	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.372195005 CET	53	53899	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:18.463104963 CET	53	52627	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:18.464052916 CET	62797	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:18.601294994 CET	53	62797	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:18.782932043 CET	53	59268	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:20.616060019 CET	63495	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:20.758805990 CET	53	63495	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:20.769519091 CET	56115	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:20.907792091 CET	53	56115	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:20.908536911 CET	62702	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:21.047230959 CET	53	62702	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:22.639575005 CET	50616	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:22.777283907 CET	53	50616	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:22.784296036 CET	58040	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:22.877285957 CET	60436	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:22.929156065 CET	53	58040	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:22.931241035 CET	58264	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:23.015511990 CET	53	60436	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:23.016331911 CET	55227	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:23.070632935 CET	53	58264	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:23.155399084 CET	53	55227	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:28.165263891 CET	64702	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:28.303343058 CET	53	64702	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:31.304469109 CET	64809	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:31.442123890 CET	53	64809	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:33.207818031 CET	57216	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:33.208110094 CET	55085	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:33.208369970 CET	49256	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:33.347666979 CET	53	57216	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:33.349663019 CET	53	55085	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:33.350306988 CET	53	49256	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:33.568837881 CET	53576	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:33.569166899 CET	60985	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:33.706135988 CET	53	60985	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:33.713939905 CET	62533	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:33.766946077 CET	53	53576	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:33.768282890 CET	50860	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:33.861548901 CET	53	62533	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:33.909652948 CET	53	50860	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:33.930727005 CET	50533	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:33.930784941 CET	62387	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:33.931014061 CET	50317	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:34.070337057 CET	53	50533	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:34.070367098 CET	53	50317	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:34.071831942 CET	53	62387	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:34.080315113 CET	60582	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:34.218487024 CET	53	60582	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:35.700227976 CET	57570	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:35.700351954 CET	51077	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:35.837481022 CET	53	57570	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:35.838583946 CET	53	51077	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:35.841831923 CET	51069	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:35.842842102 CET	55245	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:35.980259895 CET	53	51069	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:36.065779924 CET	53	55245	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:43.978607893 CET	56876	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:43.994122982 CET	57041	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:43.995923042 CET	52535	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:44.033340931 CET	62444	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:44.287301064 CET	53	56876	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:44.287755966 CET	53	52535	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:44.365479946 CET	53	57041	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:44.367218018 CET	49685	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:44.458256006 CET	53	62444	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:44.459861994 CET	56733	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:44.521152020 CET	53	49685	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:44.521899939 CET	51632	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:44.706595898 CET	53	56733	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:44.708493948 CET	57655	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:58:44.741559029 CET	53	51632	1.1.1.1	192.168.2.7
Nov 21, 2024 19:58:44.845650911 CET	53	57655	1.1.1.1	192.168.2.7
Nov 21, 2024 19:59:05.404073954 CET	57565	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:59:05.541990995 CET	53	57565	1.1.1.1	192.168.2.7
Nov 21, 2024 19:59:05.543484926 CET	59148	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:59:05.684015989 CET	53	59148	1.1.1.1	192.168.2.7
Nov 21, 2024 19:59:14.161860943 CET	51594	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:59:14.302021027 CET	53	51594	1.1.1.1	192.168.2.7
Nov 21, 2024 19:59:15.395309925 CET	51515	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:59:16.797396898 CET	64704	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:59:16.934947968 CET	53	64704	1.1.1.1	192.168.2.7
Nov 21, 2024 19:59:47.857637882 CET	53273	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:59:47.998723030 CET	53	53273	1.1.1.1	192.168.2.7
Nov 21, 2024 19:59:48.000422955 CET	60400	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:59:48.143985987 CET	53	60400	1.1.1.1	192.168.2.7
Nov 21, 2024 19:59:49.278537035 CET	59687	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:59:49.417834044 CET	62114	53	192.168.2.7	1.1.1.1
Nov 21, 2024 19:59:49.562850952 CET	53	62114	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 19:58:16.558748007 CET	192.168.2.7	1.1.1.1	0x395f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.558856964 CET	192.168.2.7	1.1.1.1	0x8482	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.699358940 CET	192.168.2.7	1.1.1.1	0x1499	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.703926086 CET	192.168.2.7	1.1.1.1	0x5248	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.704719067 CET	192.168.2.7	1.1.1.1	0xcdd	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.844341993 CET	192.168.2.7	1.1.1.1	0xf15f	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 21, 2024 19:58:16.844799042 CET	192.168.2.7	1.1.1.1	0x50ff	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:16.919569969 CET	192.168.2.7	1.1.1.1	0xa9f5	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.215240002 CET	192.168.2.7	1.1.1.1	0xcc33	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 21, 2024 19:58:17.263398886 CET	192.168.2.7	1.1.1.1	0x2d24	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.263664007 CET	192.168.2.7	1.1.1.1	0xe9e9	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.426831961 CET	192.168.2.7	1.1.1.1	0xeb1a	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:17.427154064 CET	192.168.2.7	1.1.1.1	0xea7e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 21, 2024 19:58:17.438064098 CET	192.168.2.7	1.1.1.1	0x2d3	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.581482887 CET	192.168.2.7	1.1.1.1	0x5f69	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.748164892 CET	192.168.2.7	1.1.1.1	0xde9e	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 21, 2024 19:58:17.932578087 CET	192.168.2.7	1.1.1.1	0x5638	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.005755901 CET	192.168.2.7	1.1.1.1	0xb9c9	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.006297112 CET	192.168.2.7	1.1.1.1	0x654b	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.073167086 CET	192.168.2.7	1.1.1.1	0x7c4f	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.075057983 CET	192.168.2.7	1.1.1.1	0x3f2d	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.081032991 CET	192.168.2.7	1.1.1.1	0x8361	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.178400993 CET	192.168.2.7	1.1.1.1	0x462c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.228970051 CET	192.168.2.7	1.1.1.1	0xff4d	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 21, 2024 19:58:18.320919991 CET	192.168.2.7	1.1.1.1	0x2a53	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.464052916 CET	192.168.2.7	1.1.1.1	0xe243	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:20.616060019 CET	192.168.2.7	1.1.1.1	0x9a0d	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:20.769519091 CET	192.168.2.7	1.1.1.1	0x6902	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:20.908536911 CET	192.168.2.7	1.1.1.1	0x211d	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 21, 2024 19:58:22.639575005 CET	192.168.2.7	1.1.1.1	0x428c	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:22.784296036 CET	192.168.2.7	1.1.1.1	0x73a	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:22.877285957 CET	192.168.2.7	1.1.1.1	0xa570	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:22.931241035 CET	192.168.2.7	1.1.1.1	0xfa7c	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 21, 2024 19:58:23.016331911 CET	192.168.2.7	1.1.1.1	0xc260	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:28.165263891 CET	192.168.2.7	1.1.1.1	0xae30	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:31.304469109 CET	192.168.2.7	1.1.1.1	0xdaf7	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:33.207818031 CET	192.168.2.7	1.1.1.1	0x92be	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.208110094 CET	192.168.2.7	1.1.1.1	0x79a1	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.208369970 CET	192.168.2.7	1.1.1.1	0x1732	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.568837881 CET	192.168.2.7	1.1.1.1	0x21f3	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.569166899 CET	192.168.2.7	1.1.1.1	0x3aa7	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.713939905 CET	192.168.2.7	1.1.1.1	0xa9f0	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:33.768282890 CET	192.168.2.7	1.1.1.1	0x19e1	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 21, 2024 19:58:33.930727005 CET	192.168.2.7	1.1.1.1	0x7001	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.930784941 CET	192.168.2.7	1.1.1.1	0x222	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.931014061 CET	192.168.2.7	1.1.1.1	0x9b14	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.080315113 CET	192.168.2.7	1.1.1.1	0xe75	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:35.700227976 CET	192.168.2.7	1.1.1.1	0xf507	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:35.700351954 CET	192.168.2.7	1.1.1.1	0x93af	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:35.841831923 CET	192.168.2.7	1.1.1.1	0xfb2b	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:35.842842102 CET	192.168.2.7	1.1.1.1	0xc27a	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 21, 2024 19:58:43.978607893 CET	192.168.2.7	1.1.1.1	0xfd88	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 21, 2024 19:58:43.994122982 CET	192.168.2.7	1.1.1.1	0x23fc	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:43.995923042 CET	192.168.2.7	1.1.1.1	0x217b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:58:44.033340931 CET	192.168.2.7	1.1.1.1	0x776d	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.367218018 CET	192.168.2.7	1.1.1.1	0x2e70	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.459861994 CET	192.168.2.7	1.1.1.1	0x8440	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.521899939 CET	192.168.2.7	1.1.1.1	0xb01d	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 21, 2024 19:58:44.708493948 CET	192.168.2.7	1.1.1.1	0xf4ba	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:59:05.404073954 CET	192.168.2.7	1.1.1.1	0xd9a1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:05.543484926 CET	192.168.2.7	1.1.1.1	0x2c8b	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:59:14.161860943 CET	192.168.2.7	1.1.1.1	0x7993	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:59:15.395309925 CET	192.168.2.7	1.1.1.1	0x15d2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:16.797396898 CET	192.168.2.7	1.1.1.1	0x6b0d	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:47.857637882 CET	192.168.2.7	1.1.1.1	0x429	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:48.000422955 CET	192.168.2.7	1.1.1.1	0xf856	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 21, 2024 19:59:49.278537035 CET	192.168.2.7	1.1.1.1	0x3986	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:49.417834044 CET	192.168.2.7	1.1.1.1	0x6d03	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 19:58:16.695930004 CET	1.1.1.1	192.168.2.7	0x395f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:16.695930004 CET	1.1.1.1	192.168.2.7	0x395f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.696662903 CET	1.1.1.1	192.168.2.7	0x370c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.696854115 CET	1.1.1.1	192.168.2.7	0x8482	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.837105036 CET	1.1.1.1	192.168.2.7	0x1499	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.841564894 CET	1.1.1.1	192.168.2.7	0xcdd	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:16.982213974 CET	1.1.1.1	192.168.2.7	0xf15f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 21, 2024 19:58:16.982785940 CET	1.1.1.1	192.168.2.7	0x50ff	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 21, 2024 19:58:17.057337046 CET	1.1.1.1	192.168.2.7	0x9e93	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:17.057337046 CET	1.1.1.1	192.168.2.7	0x9e93	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.057672024 CET	1.1.1.1	192.168.2.7	0xa9f5	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.213501930 CET	1.1.1.1	192.168.2.7	0x5248	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.425844908 CET	1.1.1.1	192.168.2.7	0xe9e9	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.426585913 CET	1.1.1.1	192.168.2.7	0x2d24	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.579957962 CET	1.1.1.1	192.168.2.7	0x2d3	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:17.579957962 CET	1.1.1.1	192.168.2.7	0x2d3	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:17.720558882 CET	1.1.1.1	192.168.2.7	0x5f69	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.072770119 CET	1.1.1.1	192.168.2.7	0x5638	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:18.072770119 CET	1.1.1.1	192.168.2.7	0x5638	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:18.072770119 CET	1.1.1.1	192.168.2.7	0x5638	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.145463943 CET	1.1.1.1	192.168.2.7	0x654b	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.145463943 CET	1.1.1.1	192.168.2.7	0x654b	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.147289991 CET	1.1.1.1	192.168.2.7	0xb9c9	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.214896917 CET	1.1.1.1	192.168.2.7	0x7c4f	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:18.214896917 CET	1.1.1.1	192.168.2.7	0x7c4f	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.228264093 CET	1.1.1.1	192.168.2.7	0x8361	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.299520969 CET	1.1.1.1	192.168.2.7	0x3f2d	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:18.316747904 CET	1.1.1.1	192.168.2.7	0x462c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:18.372195005 CET	1.1.1.1	192.168.2.7	0xff4d	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 21, 2024 19:58:18.463104963 CET	1.1.1.1	192.168.2.7	0x2a53	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:20.735759020 CET	1.1.1.1	192.168.2.7	0xcf5a	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:20.735759020 CET	1.1.1.1	192.168.2.7	0xcf5a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:20.758805990 CET	1.1.1.1	192.168.2.7	0x9a0d	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:20.758805990 CET	1.1.1.1	192.168.2.7	0x9a0d	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:20.907792091 CET	1.1.1.1	192.168.2.7	0x6902	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:22.777283907 CET	1.1.1.1	192.168.2.7	0x428c	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:22.777283907 CET	1.1.1.1	192.168.2.7	0x428c	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:22.777283907 CET	1.1.1.1	192.168.2.7	0x428c	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:22.874641895 CET	1.1.1.1	192.168.2.7	0x606d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:22.929156065 CET	1.1.1.1	192.168.2.7	0x73a	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:23.015511990 CET	1.1.1.1	192.168.2.7	0xa570	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:28.302337885 CET	1.1.1.1	192.168.2.7	0x45c2	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.347666979 CET	1.1.1.1	192.168.2.7	0x92be	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.349663019 CET	1.1.1.1	192.168.2.7	0x79a1	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:33.349663019 CET	1.1.1.1	192.168.2.7	0x79a1	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.350306988 CET	1.1.1.1	192.168.2.7	0x1732	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:33.350306988 CET	1.1.1.1	192.168.2.7	0x1732	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.706135988 CET	1.1.1.1	192.168.2.7	0x3aa7	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.766946077 CET	1.1.1.1	192.168.2.7	0x21f3	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:33.861548901 CET	1.1.1.1	192.168.2.7	0xa9f0	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 21, 2024 19:58:33.909652948 CET	1.1.1.1	192.168.2.7	0x19e1	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 21, 2024 19:58:34.070337057 CET	1.1.1.1	192.168.2.7	0x7001	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070337057 CET	1.1.1.1	192.168.2.7	0x7001	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070337057 CET	1.1.1.1	192.168.2.7	0x7001	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070337057 CET	1.1.1.1	192.168.2.7	0x7001	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070337057 CET	1.1.1.1	192.168.2.7	0x7001	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070367098 CET	1.1.1.1	192.168.2.7	0x9b14	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070367098 CET	1.1.1.1	192.168.2.7	0x9b14	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070367098 CET	1.1.1.1	192.168.2.7	0x9b14	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070367098 CET	1.1.1.1	192.168.2.7	0x9b14	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070367098 CET	1.1.1.1	192.168.2.7	0x9b14	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070367098 CET	1.1.1.1	192.168.2.7	0x9b14	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070367098 CET	1.1.1.1	192.168.2.7	0x9b14	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070367098 CET	1.1.1.1	192.168.2.7	0x9b14	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.070367098 CET	1.1.1.1	192.168.2.7	0x9b14	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.071831942 CET	1.1.1.1	192.168.2.7	0x222	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:34.218487024 CET	1.1.1.1	192.168.2.7	0xe75	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 21, 2024 19:58:34.218487024 CET	1.1.1.1	192.168.2.7	0xe75	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 21, 2024 19:58:34.218487024 CET	1.1.1.1	192.168.2.7	0xe75	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 21, 2024 19:58:34.218487024 CET	1.1.1.1	192.168.2.7	0xe75	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 21, 2024 19:58:35.837481022 CET	1.1.1.1	192.168.2.7	0xf507	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:35.838583946 CET	1.1.1.1	192.168.2.7	0x93af	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:35.838583946 CET	1.1.1.1	192.168.2.7	0x93af	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:35.838583946 CET	1.1.1.1	192.168.2.7	0x93af	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:35.838583946 CET	1.1.1.1	192.168.2.7	0x93af	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.365479946 CET	1.1.1.1	192.168.2.7	0x23fc	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.365479946 CET	1.1.1.1	192.168.2.7	0x23fc	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.365479946 CET	1.1.1.1	192.168.2.7	0x23fc	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.365479946 CET	1.1.1.1	192.168.2.7	0x23fc	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.458256006 CET	1.1.1.1	192.168.2.7	0x776d	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:44.458256006 CET	1.1.1.1	192.168.2.7	0x776d	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.521152020 CET	1.1.1.1	192.168.2.7	0x2e70	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.521152020 CET	1.1.1.1	192.168.2.7	0x2e70	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.521152020 CET	1.1.1.1	192.168.2.7	0x2e70	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.521152020 CET	1.1.1.1	192.168.2.7	0x2e70	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.706595898 CET	1.1.1.1	192.168.2.7	0x8440	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:58:44.741559029 CET	1.1.1.1	192.168.2.7	0xb01d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 21, 2024 19:58:44.741559029 CET	1.1.1.1	192.168.2.7	0xb01d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 21, 2024 19:58:44.741559029 CET	1.1.1.1	192.168.2.7	0xb01d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 21, 2024 19:58:44.741559029 CET	1.1.1.1	192.168.2.7	0xb01d	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 21, 2024 19:58:47.964539051 CET	1.1.1.1	192.168.2.7	0x9fa1	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:58:47.964539051 CET	1.1.1.1	192.168.2.7	0x9fa1	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:59:05.541990995 CET	1.1.1.1	192.168.2.7	0xd9a1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:14.160010099 CET	1.1.1.1	192.168.2.7	0x47a6	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:15.598797083 CET	1.1.1.1	192.168.2.7	0x15d2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:59:15.598797083 CET	1.1.1.1	192.168.2.7	0x15d2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:16.934947968 CET	1.1.1.1	192.168.2.7	0x6b0d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:47.998723030 CET	1.1.1.1	192.168.2.7	0x429	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:49.416275978 CET	1.1.1.1	192.168.2.7	0x3986	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 21, 2024 19:59:49.416275978 CET	1.1.1.1	192.168.2.7	0x3986	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 21, 2024 19:59:49.562850952 CET	1.1.1.1	192.168.2.7	0x6d03	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	34.107.221.82	80	7832	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 19:58:16.819089890 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:17.997879028 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38141 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49721	34.107.221.82	80	7832	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 19:58:18.342550993 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:19.473890066 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42025 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49722	34.107.221.82	80	7832	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 19:58:18.342669010 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:19.475991011 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 06:38:18 GMT Age: 44401 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49732	34.107.221.82	80	7832	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 19:58:19.822668076 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:21.001774073 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 20 Nov 2024 20:52:58 GMT Age: 79522 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:58:22.735176086 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:23.069227934 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 20 Nov 2024 20:52:58 GMT Age: 79524 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:58:27.516515970 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:27.851361990 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 20 Nov 2024 20:52:58 GMT Age: 79529 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:58:31.177465916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:31.512252092 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 20 Nov 2024 20:52:58 GMT Age: 79533 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:58:32.604430914 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:33.008335114 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 20 Nov 2024 20:52:58 GMT Age: 79534 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:58:35.704771996 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:36.039107084 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Wed, 20 Nov 2024 20:52:58 GMT Age: 79537 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49733	34.107.221.82	80	7832	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 19:58:19.822792053 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:20.913914919 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38144 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:58:22.737139940 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:23.052202940 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38146 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:58:27.717082977 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:28.034275055 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38151 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:58:31.235902071 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:31.550781012 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38155 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:58:32.974033117 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:33.288501024 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38157 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:58:35.713566065 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:36.028616905 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38159 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:58:45.393153906 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:45.726255894 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38169 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:58:45.752799988 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:46.068934917 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38169 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:58:47.080956936 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:47.411345959 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38171 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:58:56.940017939 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:58:57.261846066 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38181 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:59:06.863646030 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:59:07.178546906 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38191 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:59:15.394768953 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:59:15.795069933 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38199 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:59:16.796242952 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:59:17.114115000 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38200 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:59:27.119956970 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 21, 2024 19:59:37.248059988 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 21, 2024 19:59:47.376651049 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 21, 2024 19:59:49.278661013 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 21, 2024 19:59:49.607856035 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 21 Nov 2024 08:22:36 GMT Age: 38233 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 21, 2024 19:59:59.611618042 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 21, 2024 20:00:09.740278959 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49785	34.107.221.82	80	7832	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 19:58:36.155040026 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:37.290460110 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42043 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:58:45.741744041 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:46.074515104 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42051 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49815	34.107.221.82	80	7832	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 21, 2024 19:58:46.208786011 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:47.342667103 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42053 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:58:47.414735079 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:47.739737034 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42053 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:58:57.265984058 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:58:57.608527899 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42063 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:59:07.181797028 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:59:07.506139040 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42073 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:59:15.799671888 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:59:16.136395931 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42081 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:59:17.117903948 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:59:17.442591906 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42083 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:59:27.452033043 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 21, 2024 19:59:37.580239058 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 21, 2024 19:59:47.708744049 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 21, 2024 19:59:49.611534119 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 21, 2024 19:59:49.936897039 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 21 Nov 2024 07:17:54 GMT Age: 42115 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 21, 2024 19:59:59.943873882 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 21, 2024 20:00:10.072367907 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	5
Start time:	13:58:07
Start date:	21/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x340000
File size:	923'136 bytes
MD5 hash:	7FA8AA5776C44304DEF2ED20C16D29EC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:58:07
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x5d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:58:07
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:58:10
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x5d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:58:10
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:58:11
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x5d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:58:11
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:58:11
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x5d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	13:58:11
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	13:58:11
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x5d0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:58:11
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	13:58:11
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:58:11
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:58:11
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	13:58:13
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2216 -prefMapHandle 2208 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {465c8df0-a64e-4b21-968c-39594786de50} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d06c36fb10 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	13:58:14
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -parentBuildID 20230927232528 -prefsHandle 2656 -prefMapHandle 3760 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de0863c1-3657-4b0c-badb-c22f4c5a2e62} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d07e575510 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	13:58:20
Start date:	21/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5148 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c2582b2-479c-4318-ba99-be399e3cb30c} 7832 "\\.\pipe\gecko-crash-server-pipe.7832" 2d07d417710 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	1558
Total number of Limit Nodes:	48

Executed Functions

Function 003442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0034430D

Part of subcall function 00346B57: _wcslen.LIBCMT ref: 00346B6A

GetCurrentProcess.KERNEL32(?,003DCB64,00000000,?,?), ref: 00344422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00344429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00344454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00344466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00344474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0034447B
GetSystemInfo.KERNEL32(?,?,?), ref: 003444A0

Strings

GetNativeSystemInfo, xrefs: 00344460
kernel32.dll, xrefs: 0034444F
|O, xrefs: 003836F8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 04cc271c7b3b259ef869691d696775b60cc855a3407d1fa814436b88c27c686a
Instruction ID: 48336769f939185ac22b76ed7e4e3b5cfa1941603e319ab0f5e533a899416724
Opcode Fuzzy Hash: 04cc271c7b3b259ef869691d696775b60cc855a3407d1fa814436b88c27c686a
Instruction Fuzzy Hash: DFA1E66191A3C8CFEB13D77A7C443D57FE86B26700B08D4BAEAA197B39D2204504CB2D

Function 003442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,003450AA,?,?,00000000,00000000), ref: 003442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,003450AA,?,?,00000000,00000000), ref: 003442C9
LoadResource.KERNEL32(?,00000000,?,?,003450AA,?,?,00000000,00000000,?,?,?,?,?,?,00344F20), ref: 003835BE
SizeofResource.KERNEL32(?,00000000,?,?,003450AA,?,?,00000000,00000000,?,?,?,?,?,?,00344F20), ref: 003835D3
LockResource.KERNEL32(003450AA,?,?,003450AA,?,?,00000000,00000000,?,?,?,?,?,?,00344F20,?), ref: 003835E6

Strings

SCRIPT, xrefs: 003442BF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c74552ec2cbec3f901fbf9f3a02ec1ab269697918d39a562022f54e9311a79b0
Instruction ID: f5b4576c6b685d6125318cb2d4fd6b136e87f7282cf8ac1c0984f6a4acf4db22
Opcode Fuzzy Hash: c74552ec2cbec3f901fbf9f3a02ec1ab269697918d39a562022f54e9311a79b0
Instruction Fuzzy Hash: 36117CB1211701BFDB228BA5EC48F677BBDEBC5B51F10496EF4029A290DBB1E800C720

Function 00382BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00342B6B

Part of subcall function 00343A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00411418,?,00342E7F,?,?,?,00000000), ref: 00343A78

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00402224), ref: 00382C10
ShellExecuteW.SHELL32(00000000,?,?,00402224), ref: 00382C17

Strings

runas, xrefs: 00382C0B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 33a004857374991055168ae38715b0351567c5eb9a9ae64f290ed322d0d2a111
Instruction ID: e9ea26ce0522489e75f876eda9e4f391aa1fc7b7eb49927a1f7bba4a24431b8e
Opcode Fuzzy Hash: 33a004857374991055168ae38715b0351567c5eb9a9ae64f290ed322d0d2a111
Instruction Fuzzy Hash: 1911AF312083416AC707FF60D856AAFBBE89B91750F44542EB1822F0A2CF75AA49C752

Function 003AD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003AD501
Process32FirstW.KERNEL32(00000000,?), ref: 003AD50F
Process32NextW.KERNEL32(00000000,?), ref: 003AD52F
CloseHandle.KERNELBASE(00000000), ref: 003AD5DC

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 9e221325095b29e18fad5848d415ca4652fbfa666ef25acf7e9e1d2b802e7b85
Instruction ID: 132897563cb4a28965b0ce3303d9ae4f290bd1b1f4a19578ef64a0e10d7fab51
Opcode Fuzzy Hash: 9e221325095b29e18fad5848d415ca4652fbfa666ef25acf7e9e1d2b802e7b85
Instruction Fuzzy Hash: 2D31A9715043019FD302DF54D885A6F7BF8EF9A354F14051DF5828A1A2EB71A944C792

Function 003ADBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00385222), ref: 003ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 003ADBDD
FindFirstFileW.KERNEL32(?,?), ref: 003ADBEE
FindClose.KERNEL32(00000000), ref: 003ADBFA

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 292744bae61e096e9aa2b5bab2719b24560bc7320d707fc959fbe458292ba04b
Instruction ID: 1ccc9942dac273ea36d59c081b6d509334e00bc18b3f40d140d689814e26bde4
Opcode Fuzzy Hash: 292744bae61e096e9aa2b5bab2719b24560bc7320d707fc959fbe458292ba04b
Instruction Fuzzy Hash: 9DF0A03083192157C2226B78BC0D8AA376CDE02334F904B13F876C24E0EBB45D64C695

Function 00364CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(003728E9,?,00364CBE,003728E9,004088B8,0000000C,00364E15,003728E9,00000002,00000000,?,003728E9), ref: 00364D09
TerminateProcess.KERNEL32(00000000,?,00364CBE,003728E9,004088B8,0000000C,00364E15,003728E9,00000002,00000000,?,003728E9), ref: 00364D10
ExitProcess.KERNEL32 ref: 00364D22

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0ab5e8da386c239c22e1aab04d9b3c97c9b88485b34d556cb4e9bc6e91be779f
Instruction ID: 7e925ec7f0e9c4052fa7d1c55934929872d13aa656f5f0dd903482da2f6ae23d
Opcode Fuzzy Hash: 0ab5e8da386c239c22e1aab04d9b3c97c9b88485b34d556cb4e9bc6e91be779f
Instruction Fuzzy Hash: DEE0B631821149ABCF23AF54ED09A583F6DEB41781F119015FC098B127CB39DD52DA80

Function 0034BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#A, xrefs: 003907CE

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#A
API String ID: 3964851224-348305189
Opcode ID: 1f9d18db0d5d9a6bb8f7d775c9318c12ecdecd5a38723b09e1901e134b74c195
Instruction ID: 01908081115a67b86ecb050cd3b6d236f64ba01114e3e6b5db2e42721c188fb0
Opcode Fuzzy Hash: 1f9d18db0d5d9a6bb8f7d775c9318c12ecdecd5a38723b09e1901e134b74c195
Instruction Fuzzy Hash: E9A27B706183019FCB56CF18C480B2ABBE5BF89304F15996DE99A8F362D771EC45CB92

Function 003CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 003CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003CB1D4
_wcslen.LIBCMT ref: 003CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003CB236
_wcslen.LIBCMT ref: 003CB332

Part of subcall function 003B05A7: GetStdHandle.KERNEL32(000000F6), ref: 003B05C6

_wcslen.LIBCMT ref: 003CB34B
_wcslen.LIBCMT ref: 003CB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003CB3B6
GetLastError.KERNEL32(00000000), ref: 003CB407
CloseHandle.KERNEL32(?), ref: 003CB439
CloseHandle.KERNEL32(00000000), ref: 003CB44A
CloseHandle.KERNEL32(00000000), ref: 003CB45C
CloseHandle.KERNEL32(00000000), ref: 003CB46E
CloseHandle.KERNEL32(?), ref: 003CB4E3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 20688d4dfe5c31722ddccfa296c704e12e2115562f24e71d97dd3755b2964f6b
Instruction ID: 962f36fc44d0f7b85b52fdfbecc7d0bee2373f7f07d98e883d92b572e3cb3fe4
Opcode Fuzzy Hash: 20688d4dfe5c31722ddccfa296c704e12e2115562f24e71d97dd3755b2964f6b
Instruction Fuzzy Hash: FCF179316082409FC716EF24C892F6ABBE5AF85314F15895DF8999F2A2CB31EC44CB52

Function 0034D730 Relevance: 21.6, APIs: 14, Instructions: 631windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0034D807
timeGetTime.WINMM ref: 0034DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034DB28
TranslateMessage.USER32(?), ref: 0034DB7B
DispatchMessageW.USER32(?), ref: 0034DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034DB9F
Sleep.KERNELBASE(0000000A), ref: 0034DBB1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 797f048a263237073a2613dc6aa44927f53ea2d6e9aef2b7faa8eee3beb1f847
Instruction ID: 2b0480ce52e9ae24f300c6afec049e83bc4a6bde9e28ea98b6b91614646b11aa
Opcode Fuzzy Hash: 797f048a263237073a2613dc6aa44927f53ea2d6e9aef2b7faa8eee3beb1f847
Instruction Fuzzy Hash: 2B42C130604642EFDB27DF24C885BAAB7E5FF46304F158569E8558F2A1D770F844CB92

Function 00342CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00342D07
RegisterClassExW.USER32(00000030), ref: 00342D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00342D42
InitCommonControlsEx.COMCTL32(?), ref: 00342D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00342D6F
LoadIconW.USER32(000000A9), ref: 00342D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00342D94

Strings

TaskbarCreated, xrefs: 00342D37
AutoIt v3 GUI, xrefs: 00342D23
+, xrefs: 00342CF0
0, xrefs: 00342CE9

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 72ca2f779e99efa455b43f247a4a2ce03ffdbd539dc639ee59d81c9b877e01d0
Instruction ID: c667096aa7e7e1451e689b6f65026ebf5233308abd760de02e5835c3af1bd0b9
Opcode Fuzzy Hash: 72ca2f779e99efa455b43f247a4a2ce03ffdbd539dc639ee59d81c9b877e01d0
Instruction Fuzzy Hash: B821C8B5D22219AFDB01DF94EC49BDDBBB8FB08701F00911AF621A62A0D7B14544CF55

Function 0038065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0038039A: CreateFileW.KERNELBASE(00000000,00000000,?,00380704,?,?,00000000,?,00380704,00000000,0000000C), ref: 003803B7

GetLastError.KERNEL32 ref: 0038076F
__dosmaperr.LIBCMT ref: 00380776
GetFileType.KERNELBASE(00000000), ref: 00380782
GetLastError.KERNEL32 ref: 0038078C
__dosmaperr.LIBCMT ref: 00380795
CloseHandle.KERNEL32(00000000), ref: 003807B5
CloseHandle.KERNEL32(?), ref: 003808FF
GetLastError.KERNEL32 ref: 00380931
__dosmaperr.LIBCMT ref: 00380938

Strings

H, xrefs: 003808BD

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d9a359fa6145bbcb74084ea300cc4f9b637fecb7d67048ca509f7893abe7b835
Instruction ID: e6d881d96ace1ea65e2caefaba85534c4caf88d7771aeff321d9630b7b33f1e7
Opcode Fuzzy Hash: d9a359fa6145bbcb74084ea300cc4f9b637fecb7d67048ca509f7893abe7b835
Instruction Fuzzy Hash: B2A15736A102048FDF1EEF68D852BAE7BA0EB06320F15419DF8159F2A1DB759C17CB91

Function 0034344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00343A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00411418,?,00342E7F,?,?,?,00000000), ref: 00343A78

Part of subcall function 00343357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00343379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0034356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0038318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003831CE
RegCloseKey.ADVAPI32(?), ref: 00383210
_wcslen.LIBCMT ref: 00383277
_wcslen.LIBCMT ref: 00383286

Strings

Include, xrefs: 00383184, 003831C5
Software\AutoIt v3\AutoIt, xrefs: 00343560
\, xrefs: 0038328C
\Include\, xrefs: 00343527

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: bf934288f0f6185abeb0b74e440ca9f26d54a7a882725a328d941be43b8cc093
Instruction ID: c2c627b43c436ccfcec5d45be21c4904a16132961a5555a2df0c144d2916c7a0
Opcode Fuzzy Hash: bf934288f0f6185abeb0b74e440ca9f26d54a7a882725a328d941be43b8cc093
Instruction Fuzzy Hash: 43719E714143059EC706EF25ED8199BBBE8FF85740F40883EF855CB261DB709A58CB55

Function 00342B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00342B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00342B9D
LoadIconW.USER32(00000063), ref: 00342BB3
LoadIconW.USER32(000000A4), ref: 00342BC5
LoadIconW.USER32(000000A2), ref: 00342BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00342BEF
RegisterClassExW.USER32(?), ref: 00342C40

Part of subcall function 00342CD4: GetSysColorBrush.USER32(0000000F), ref: 00342D07
Part of subcall function 00342CD4: RegisterClassExW.USER32(00000030), ref: 00342D31
Part of subcall function 00342CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00342D42
Part of subcall function 00342CD4: InitCommonControlsEx.COMCTL32(?), ref: 00342D5F
Part of subcall function 00342CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00342D6F
Part of subcall function 00342CD4: LoadIconW.USER32(000000A9), ref: 00342D85
Part of subcall function 00342CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00342D94

Strings

0, xrefs: 00342C0F
#, xrefs: 00342C16
AutoIt v3, xrefs: 00342C2F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: ea5a7fc55c2d863e407fda01a321cac934850f0f2e509b259030c6c001151740
Instruction ID: 824628e003e66e9d5b80be556dfd8255d2ab3ddf887463b5a6d35fdd371de7f1
Opcode Fuzzy Hash: ea5a7fc55c2d863e407fda01a321cac934850f0f2e509b259030c6c001151740
Instruction Fuzzy Hash: 8B214F74E21318AFEB119F95EC95AD97FB4FB08B50F00802AFA11A66B4D3B11540CF98

Function 00343170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0034316A,?,?), ref: 003431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0034316A,?,?), ref: 00343204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00343227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0034316A,?,?), ref: 00343232
CreatePopupMenu.USER32 ref: 00343246
PostQuitMessage.USER32(00000000), ref: 00343267

Strings

TaskbarCreated, xrefs: 0034322D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 445dd10f889e89f6a06723f25b24f9bdab4c14cacf412fe3b2a3de138e2e4b66
Instruction ID: 97ae8981462011ca36428691b6af293fac728e11c72580e58c26fbd10b42b0a7
Opcode Fuzzy Hash: 445dd10f889e89f6a06723f25b24f9bdab4c14cacf412fe3b2a3de138e2e4b66
Instruction Fuzzy Hash: 50411731260209ABDF172B78ED49BB93B9DE705300F044126FA228F5B5C7A5FB40D769

Function 00341410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00341459
CoUninitialize.COMBASE ref: 003414F8
UnregisterHotKey.USER32(?), ref: 003416DD
DestroyWindow.USER32(?), ref: 003824B9
FreeLibrary.KERNEL32(?), ref: 0038251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0038254B

Strings

close all, xrefs: 00341454

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: f8244ac1be52e687582a77a24274f0ee6f5e381f238a0797e4c4dacf3aa4310e
Instruction ID: ff94d643fb91a520376a1a1a8aa6a948eab0b918278a4d26e04eac05d2d89637
Opcode Fuzzy Hash: f8244ac1be52e687582a77a24274f0ee6f5e381f238a0797e4c4dacf3aa4310e
Instruction Fuzzy Hash: 40D16A317126128FCB1BEF15D899A6AF7A4BF05700F1542ADE84A6F262DB30ED52CF50

Function 00342C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00342C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00342CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00341CAD,?), ref: 00342CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00341CAD,?), ref: 00342CCF

Strings

edit, xrefs: 00342CAC
AutoIt v3, xrefs: 00342C89, 00342C8E, 00342C8F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: eaecb2873f92ce9999257a7874b13fa760cc7e3218085d8f28c4cb947608b7c7
Instruction ID: a254a00e9934a04a7f542b3ead52ee34942d2496a7d43c2323a01928d08b398d
Opcode Fuzzy Hash: eaecb2873f92ce9999257a7874b13fa760cc7e3218085d8f28c4cb947608b7c7
Instruction Fuzzy Hash: ABF0DA755A02987AFB311717BC08EB76EBDD7C6F50F00916AFE10A26B4C6711850DAB8

Function 00343B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00343B0F,SwapMouseButtons,00000004,?), ref: 00343B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00343B0F,SwapMouseButtons,00000004,?), ref: 00343B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00343B0F,SwapMouseButtons,00000004,?), ref: 00343B83

Strings

Control Panel\Mouse, xrefs: 00343B3E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4d3b9a35aa5a40ee71e55d076225e1879c553d81784288be14eaa3c9967709b3
Instruction ID: bec718540cdeab843f0cea7f1837cfdcabb05e01e86a9fcf456ba3f38d6262d5
Opcode Fuzzy Hash: 4d3b9a35aa5a40ee71e55d076225e1879c553d81784288be14eaa3c9967709b3
Instruction Fuzzy Hash: 8B112AB5521208FFDB228FA5DC44AAEB7FCEF04744B11855AA805DB110D231EF449B60

Function 00343923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003833A2

Part of subcall function 00346B57: _wcslen.LIBCMT ref: 00346B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00343A04

Strings

Line: , xrefs: 003833EB

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: f7a9cfc9674dc93e6b22b6b49a1c4f980b1669031b7fa68ebb7b3a7ef5e2c033
Instruction ID: 9808f084bcbf06e850192816dafadce379aece6d81f6a4760c352ffe9b53a4f0
Opcode Fuzzy Hash: f7a9cfc9674dc93e6b22b6b49a1c4f980b1669031b7fa68ebb7b3a7ef5e2c033
Instruction Fuzzy Hash: 7331B471548304AAD723EF20DC46BEBB7ECAF41710F10492AF5999B1A1DB70A648CBC7

Function 00342DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00382C8C

Part of subcall function 00343AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00343A97,?,?,00342E7F,?,?,?,00000000), ref: 00343AC2

Part of subcall function 00342DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00342DC4

Strings

X, xrefs: 00382C5A
`e@, xrefs: 00382C85

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`e@
API String ID: 779396738-3348127276
Opcode ID: 19eaf77c69b24702cc3a4626ea6bc05dd43cc07debbc27eaf589f91be3e88757
Instruction ID: 55b68ad2882494db44ff10322aebdd114a2392e8140c1982d451c6c7b012f109
Opcode Fuzzy Hash: 19eaf77c69b24702cc3a4626ea6bc05dd43cc07debbc27eaf589f91be3e88757
Instruction Fuzzy Hash: 40219671A102589BDB02EF94C845BEE7BFC9F49314F00805AE505BF281DBB85689CF65

Function 0035FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00360668

Part of subcall function 003632A4: RaiseException.KERNEL32(?,?,?,0036068A,?,00411444,?,?,?,?,?,?,0036068A,00341129,00408738,00341129), ref: 00363304

__CxxThrowException@8.LIBVCRUNTIME ref: 00360685

Strings

Unknown exception, xrefs: 00360692

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 9604134a13f2ba75a6eb974f4607bf282991e3ba345af5c75cb56f682cfcbe22
Instruction ID: a4e0fec2f3a865e180b12f6adc5576aa18f4fc8d3f18afc05db809922243dbb7
Opcode Fuzzy Hash: 9604134a13f2ba75a6eb974f4607bf282991e3ba345af5c75cb56f682cfcbe22
Instruction Fuzzy Hash: 47F0C23490020DBBCB06BAA4DC57D9E77BC9E00314B60C535B9149A5EDEF71DA69C681

Function 003410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00341BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00341BF4
Part of subcall function 00341BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00341BFC
Part of subcall function 00341BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00341C07
Part of subcall function 00341BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00341C12
Part of subcall function 00341BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00341C1A
Part of subcall function 00341BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00341C22

Part of subcall function 00341B4A: RegisterWindowMessageW.USER32(00000004,?,003412C4), ref: 00341BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0034136A
OleInitialize.OLE32 ref: 00341388
CloseHandle.KERNEL32(00000000,00000000), ref: 003824AB

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 8779bcbf9d9dbf07bb6b2078910c8dcaa96f168abb8ae0971f92e0faf6977712
Instruction ID: 397434a6fa65d2985d407694795951d3fe38a216a74b5343d779ab59265f1e1d
Opcode Fuzzy Hash: 8779bcbf9d9dbf07bb6b2078910c8dcaa96f168abb8ae0971f92e0faf6977712
Instruction Fuzzy Hash: 3A71C9B9922201AFC785EF7AA9456D53BE6FB88744744C23AD60ACB371EB304481CF4C

Function 003AC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00343923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00343A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003AC259
KillTimer.USER32(?,00000001,?,?), ref: 003AC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 003AC270

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: c1e4b176c9c3a3f28bf52dfa14dab4f197429d3cb260052e12504ea4c0a69814
Instruction ID: 7be3dae5bc7284c90dd22421b5bd71b40419c944287d485a6692ba72cc6cd05a
Opcode Fuzzy Hash: c1e4b176c9c3a3f28bf52dfa14dab4f197429d3cb260052e12504ea4c0a69814
Instruction Fuzzy Hash: 4B319370914344AFEF239F649855BEBBBECDB07304F00589AD6DAA7242C7745A84CB51

Function 003786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,003785CC,?,00408CC8,0000000C), ref: 00378704
GetLastError.KERNEL32(?,003785CC,?,00408CC8,0000000C), ref: 0037870E
__dosmaperr.LIBCMT ref: 00378739

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 15a058d8c51f6b6e7de18b77013bfddb710119fac3884d6f81a196ae04dfefdc
Instruction ID: 1d3597988ef66923b0535fb09957aef3e7dacc9a3cbe02f3bccdc08bb1a45fc3
Opcode Fuzzy Hash: 15a058d8c51f6b6e7de18b77013bfddb710119fac3884d6f81a196ae04dfefdc
Instruction Fuzzy Hash: 7F016B36B4526036E63B6334684E77E278A4B81774F3AC119F90C9F0E2DEEC8C81C150

Function 0034DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0034DB7B
DispatchMessageW.USER32(?), ref: 0034DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034DB9F
Sleep.KERNELBASE(0000000A), ref: 0034DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00391CC9

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 830e423de65d474f12f9f945830017ba15957093ec9879c4df5edce839fd4e7b
Instruction ID: 0a97dfe7466acbd0820c8a50fb98c9d231ab92afb93201f2410b23582837a69c
Opcode Fuzzy Hash: 830e423de65d474f12f9f945830017ba15957093ec9879c4df5edce839fd4e7b
Instruction Fuzzy Hash: 6EF05E306253419BEB31DB609C49FEA73ECEB45310F10862AE65A970D0DB30A488CB19

Function 00351310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 003517F6

Strings

CALL, xrefs: 003517C6

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 583deebbd4d0b12e15720dd814d14dba51351c2509e3549b0dcf961307f890cb
Instruction ID: 56095f8d414cf6c33bd744b5e97ebb516cdde196dd3584e4cd96abe46480d289
Opcode Fuzzy Hash: 583deebbd4d0b12e15720dd814d14dba51351c2509e3549b0dcf961307f890cb
Instruction Fuzzy Hash: 8022AB706082419FCB16DF14C481F2ABBF5BF89315F15892DF8968B362D771E949CB82

Function 00343837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00343908

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: b0a947481b381cb0a84eccd6b3fe1be82047c1390aa8c7ababd48a16bf147b5f
Instruction ID: 68fc09e3eb0644d6fe2c3ece7d467d602aa32a89ffad93b37849683ed46f218a
Opcode Fuzzy Hash: b0a947481b381cb0a84eccd6b3fe1be82047c1390aa8c7ababd48a16bf147b5f
Instruction Fuzzy Hash: C93175706057059FE722DF24D8857D7B7E8FB49704F00092EFA998B250D771AA44CB52

Function 0035F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0035F661

Part of subcall function 0034D730: GetInputState.USER32 ref: 0034D807

Sleep.KERNEL32(00000000), ref: 0039F2DE

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 8c4b8fb07b5f277b31fbb4162fe622c1fa0a8ff050600604d5fd7ea141d6805a
Instruction ID: 6c0ad1ee763e408bc732cdaa3db43e06cc1ac75eb5ed766e730630c0fa7fc3a7
Opcode Fuzzy Hash: 8c4b8fb07b5f277b31fbb4162fe622c1fa0a8ff050600604d5fd7ea141d6805a
Instruction Fuzzy Hash: A4F08C31250205AFD311EF69E549B6AFBE8EF46761F00006AF85DCB2A0DB70B800CB90

Function 00344ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00344E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00344EDD,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344E9C
Part of subcall function 00344E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00344EAE
Part of subcall function 00344E90: FreeLibrary.KERNEL32(00000000,?,?,00344EDD,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344EFD

Part of subcall function 00344E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00383CDE,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344E62
Part of subcall function 00344E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00344E74
Part of subcall function 00344E59: FreeLibrary.KERNEL32(00000000,?,?,00383CDE,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344E87

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 930bdb51eb5efb69bf0946bc7358aa27ed28abf0c1cde559524a95b588ef3e68
Instruction ID: 50cdafa79de0adf25a961e74aeb0352b2f3aaf8ffbc7cfe688b3c501a3c801f6
Opcode Fuzzy Hash: 930bdb51eb5efb69bf0946bc7358aa27ed28abf0c1cde559524a95b588ef3e68
Instruction Fuzzy Hash: 02119132610305AADF16BB64D802BAD77E5AF40B11F10843AF542AE1D1EE75EA499B50

Function 00378402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00378440

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d20b4ac976af7f361bd954fc0d066af7dff4ebcf4aeb2e5013edd8764f318514
Instruction ID: e4fded9325064aefe72e88a617cb51150da3eaaccf9cde7d45400f4c08b5bc15
Opcode Fuzzy Hash: d20b4ac976af7f361bd954fc0d066af7dff4ebcf4aeb2e5013edd8764f318514
Instruction Fuzzy Hash: 09114C7190410AAFCB16DF59E94499A7BF4EF48310F118059F808AB311DB70DA11CB64

Function 00375000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00374C7D: RtlAllocateHeap.NTDLL(00000008,00341129,00000000,?,00372E29,00000001,00000364,?,?,?,0036F2DE,00373863,00411444,?,0035FDF5,?), ref: 00374CBE

_free.LIBCMT ref: 0037506C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 3dea38cc65aa6ef5c078eba41a1db8c8737075a7c9fef3739ffe6d0c6fa1ba3b
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 94012B722047096BE3368E659841A5AFBECFB89370F25451DE19887280E7746805C674

Function 0036E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: a8682b4106e7f62ddd0ec7bf3f8cd85a754ab587df9702e927fb6cf73183cbfe
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 3DF0283A910A14AAC7333A79DC09B5B339C9F52330F11C715F5289B1D6CB78E80A86A6

Function 00374C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00341129,00000000,?,00372E29,00000001,00000364,?,?,?,0036F2DE,00373863,00411444,?,0035FDF5,?), ref: 00374CBE

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6202775199f74aa4dcaa14d169880ae924bd030ce1568b3d383a3ac396c422cd
Instruction ID: c3a4bd237313c255839d0b1dbf688eece8f630b4badedb2dd48e348f172b43b7
Opcode Fuzzy Hash: 6202775199f74aa4dcaa14d169880ae924bd030ce1568b3d383a3ac396c422cd
Instruction Fuzzy Hash: 5CF0B431602226B6DB335F629C05B5A3788AF41BA0B1AC521BD1DAA594CB78FC008AA0

Function 00373820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00411444,?,0035FDF5,?,?,0034A976,00000010,00411440,003413FC,?,003413C6,?,00341129), ref: 00373852

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 05e92461731c5474370d60d167e7877d29236c040ff730d7e3f027b18331c1cc
Instruction ID: bdb1dce1dbc524f4f95b2475af650d5ebbf0a8281eb65c1631ec94dff773af75
Opcode Fuzzy Hash: 05e92461731c5474370d60d167e7877d29236c040ff730d7e3f027b18331c1cc
Instruction Fuzzy Hash: 34E0E531501225B6E7332A669C00F9A374CAF427B0F06C122BC1C9A995CB79DD05A2E3

Function 00344F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344F6D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 3932d11aa9b7d26bb7cd646beb30ac5c2f984afc42aaeb461c738c8404738513
Instruction ID: 6d943b7c86c713cc9a71943fb53816a72e0dc661cbd64493462d68f5f669813b
Opcode Fuzzy Hash: 3932d11aa9b7d26bb7cd646beb30ac5c2f984afc42aaeb461c738c8404738513
Instruction Fuzzy Hash: 8EF03071105752CFDB369F64E494912B7E4AF14319311897EE1EA8A921C731A848DF10

Function 003D2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003D2A66

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 8685967939dc5fba8b3b8ced6146d740ab54c2d99ead9084338440749614c70e
Instruction ID: 5e05dd7707fd684743197495de7c8c1ac327a852d552d34d1c82762be7f87495
Opcode Fuzzy Hash: 8685967939dc5fba8b3b8ced6146d740ab54c2d99ead9084338440749614c70e
Instruction Fuzzy Hash: F9E04F76361116AAC716EA30EC809FBB35CEBA5395B10453BBC16C6600EF30D99586A0

Function 003430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0034314E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 6fced13f63395cc994ef62e02f58b2f3f5a2aad638da9cda64722ecf98b74f68
Instruction ID: 4459e4be0ce3f0423c6593c0bb36b9f77a08c8375ee804f550c096fc8f3228a5
Opcode Fuzzy Hash: 6fced13f63395cc994ef62e02f58b2f3f5a2aad638da9cda64722ecf98b74f68
Instruction Fuzzy Hash: 48F0A0B09103189FEB539B24DC4A7DA7BFCAB01708F0040E9A68897296DB705B88CF55

Function 00342DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00342DC4

Part of subcall function 00346B57: _wcslen.LIBCMT ref: 00346B6A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 803e15121884b86ccfac76575b9a1a739d9c3f6fe68a5a470da479f32eb048fb
Instruction ID: d68f3e02e931dbd5e9db80adc0de45f3a9ef3e0657fe6457fb75d058dc0a5507
Opcode Fuzzy Hash: 803e15121884b86ccfac76575b9a1a739d9c3f6fe68a5a470da479f32eb048fb
Instruction Fuzzy Hash: 2EE0CD726002245BCB11A6589C06FDA77DDDFC8790F0401B1FD09DB248D960AD80C651

Function 00342B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00343837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00343908

Part of subcall function 0034D730: GetInputState.USER32 ref: 0034D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00342B6B

Part of subcall function 003430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0034314E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 1a7704a0918451ea1b84d1f16599c3555b9543d173f290e06356ea8894dbfcdb
Instruction ID: ad548e45e40e13eb804957b95b83f9d80166576dc8f3e13d2c8b9b60d5447351
Opcode Fuzzy Hash: 1a7704a0918451ea1b84d1f16599c3555b9543d173f290e06356ea8894dbfcdb
Instruction Fuzzy Hash: 42E0262130020407CA06BB34A8125AEB7C98BD1311F40153FF1424F173CF6465898212

Function 0038039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00380704,?,?,00000000,?,00380704,00000000,0000000C), ref: 003803B7

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: caf4c0e6f6489b3f3a78ecaf74af98aad35d462a4fb5ce084f23f341902e9aee
Instruction ID: 1c6ac7f71a1a23327a682f0ccaf483013b63f3c43576f8b3cc136436bf844b02
Opcode Fuzzy Hash: caf4c0e6f6489b3f3a78ecaf74af98aad35d462a4fb5ce084f23f341902e9aee
Instruction Fuzzy Hash: 9FD06C3205010DBBDF028F84ED06EDA3BAAFB48714F014000BE1856020C732E821EB90

Function 00341CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00341CBC

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7039ef247447f54af5f71650ff176f59751a6dad56f6841097150c08caed6b8c
Instruction ID: de25b605c379c076237611fc7e0bcfa43030915d63bf0f3efcf3659fc6bf86dc
Opcode Fuzzy Hash: 7039ef247447f54af5f71650ff176f59751a6dad56f6841097150c08caed6b8c
Instruction Fuzzy Hash: 46C09B35290305AFF6154780BD4AF507755E348B00F04C111F709955F3C3E11420D654

Non-executed Functions

Function 003D9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00359BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00359BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 003D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003D96C9
SendMessageW.USER32 ref: 003D96F2
GetKeyState.USER32(00000011), ref: 003D978B
GetKeyState.USER32(00000009), ref: 003D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003D97AE
GetKeyState.USER32(00000010), ref: 003D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003D97E9
SendMessageW.USER32 ref: 003D9810
SendMessageW.USER32(?,00001030,?,003D7E95), ref: 003D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003D9941
SetCapture.USER32(?), ref: 003D994A
ClientToScreen.USER32(?,?), ref: 003D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003D99D6
ReleaseCapture.USER32 ref: 003D99E1
GetCursorPos.USER32(?), ref: 003D9A19
ScreenToClient.USER32(?,?), ref: 003D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 003D9A80
SendMessageW.USER32 ref: 003D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 003D9AEB
SendMessageW.USER32 ref: 003D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 003D9B4A
GetCursorPos.USER32(?), ref: 003D9B68
ScreenToClient.USER32(?,?), ref: 003D9B75
GetParent.USER32(?), ref: 003D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 003D9BFA
SendMessageW.USER32 ref: 003D9C2B
ClientToScreen.USER32(?,?), ref: 003D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 003D9CDE
SendMessageW.USER32 ref: 003D9D01
ClientToScreen.USER32(?,?), ref: 003D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003D9D82

Part of subcall function 00359944: GetWindowLongW.USER32(?,000000EB), ref: 00359952

GetWindowLongW.USER32(?,000000F0), ref: 003D9E05

Strings

@GUI_DRAGID, xrefs: 003D997D
p#A, xrefs: 003D9990
F, xrefs: 003D9D07

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#A
API String ID: 3429851547-3939693707
Opcode ID: 08d914f749f6f095558d420b59c29743e49c8155c590d8ef106d06dd76642272
Instruction ID: c24316bbef173b3b81ac0f789e58a279aedec18b9cf8d75a6e4d6e2e381f5f5c
Opcode Fuzzy Hash: 08d914f749f6f095558d420b59c29743e49c8155c590d8ef106d06dd76642272
Instruction Fuzzy Hash: 8F429D72215201AFD722CF24EC44BAABBE9FF49320F15461BF6999B3A1D731E854CB41

Function 003D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 003D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 003D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 003D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 003D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 003D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 003D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 003D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 003D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 003D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 003D4A7E
IsMenu.USER32(?), ref: 003D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003D4B20
GetWindowLongW.USER32(?,000000F0), ref: 003D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 003D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 003D4C82
wsprintfW.USER32 ref: 003D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 003D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 003D4D5A

Strings

%d/%02d/%02d, xrefs: 003D4CA8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: e69cec27175b0082b10a18b0cab4d4887bb925688e0cc94417814b19b5a3dd19
Instruction ID: ae99f5de10dc7c303793d60a5972843124f32d43ffa6c128c0099458b6c74c29
Opcode Fuzzy Hash: e69cec27175b0082b10a18b0cab4d4887bb925688e0cc94417814b19b5a3dd19
Instruction Fuzzy Hash: 9512F072610215ABEB268F24EC49FAEBBFCEF45310F14412AF915EB2E1DB749940CB50

Function 0035F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0035F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0039F474
IsIconic.USER32(00000000), ref: 0039F47D
ShowWindow.USER32(00000000,00000009), ref: 0039F48A
SetForegroundWindow.USER32(00000000), ref: 0039F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0039F4AA
GetCurrentThreadId.KERNEL32 ref: 0039F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0039F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0039F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0039F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0039F4DE
SetForegroundWindow.USER32(00000000), ref: 0039F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039F4F6
keybd_event.USER32(00000012,00000000), ref: 0039F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039F50B
keybd_event.USER32(00000012,00000000), ref: 0039F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039F519
keybd_event.USER32(00000012,00000000), ref: 0039F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039F528
keybd_event.USER32(00000012,00000000), ref: 0039F52D
SetForegroundWindow.USER32(00000000), ref: 0039F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0039F557

Strings

Shell_TrayWnd, xrefs: 0039F46F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 4768f86f701423eef530c0b40cf3715bc3615f59aa41dc7a6d0fa71075deb85d
Instruction ID: 75c63f85e9d597863b723b8437fcf8f35d113976a5813b17441aa1fa4e5fa75a
Opcode Fuzzy Hash: 4768f86f701423eef530c0b40cf3715bc3615f59aa41dc7a6d0fa71075deb85d
Instruction Fuzzy Hash: CF319671A602197FEF226BB66C49FBF7F6DEB45B50F111066FA00E61D1C6B05D00EA60

Function 003A1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 003A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003A170D
Part of subcall function 003A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003A173A
Part of subcall function 003A16C3: GetLastError.KERNEL32 ref: 003A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 003A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 003A12A8
CloseHandle.KERNEL32(?), ref: 003A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003A12D1
GetProcessWindowStation.USER32 ref: 003A12EA
SetProcessWindowStation.USER32(00000000), ref: 003A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 003A1310

Part of subcall function 003A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003A11FC), ref: 003A10D4
Part of subcall function 003A10BF: CloseHandle.KERNEL32(?,?,003A11FC), ref: 003A10E9

Strings

Z@, xrefs: 003A1392
default, xrefs: 003A130B
, xrefs: 003A125A
winsta0, xrefs: 003A12CC

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z@
API String ID: 22674027-2232833548
Opcode ID: adda7dae6871a697b04cce43cf484ebb0c06ca031c45e17170b8a7905a2106a6
Instruction ID: 93c159dfcb4cdbad855b28b95f464c7966029940cb3569873d1878eb2c1bc1b7
Opcode Fuzzy Hash: adda7dae6871a697b04cce43cf484ebb0c06ca031c45e17170b8a7905a2106a6
Instruction Fuzzy Hash: B7818D71910209AFDF229FA9DC49FEE7BBDEF09704F18412AF911EA1A0D7758944CB60

Function 003A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003A1114
Part of subcall function 003A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,003A0B9B,?,?,?), ref: 003A1120
Part of subcall function 003A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003A0B9B,?,?,?), ref: 003A112F
Part of subcall function 003A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003A0B9B,?,?,?), ref: 003A1136
Part of subcall function 003A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003A0C00
GetLengthSid.ADVAPI32(?), ref: 003A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 003A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003A0C6D
GetLengthSid.ADVAPI32(?), ref: 003A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 003A0C8C
HeapAlloc.KERNEL32(00000000), ref: 003A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003A0CB4
CopySid.ADVAPI32(00000000), ref: 003A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003A0D45
HeapFree.KERNEL32(00000000), ref: 003A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003A0D55
HeapFree.KERNEL32(00000000), ref: 003A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003A0D65
HeapFree.KERNEL32(00000000), ref: 003A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 003A0D78
HeapFree.KERNEL32(00000000), ref: 003A0D7F

Part of subcall function 003A1193: GetProcessHeap.KERNEL32(00000008,003A0BB1,?,00000000,?,003A0BB1,?), ref: 003A11A1
Part of subcall function 003A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,003A0BB1,?), ref: 003A11A8
Part of subcall function 003A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003A0BB1,?), ref: 003A11B7

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1d34c71ca5fc865993d3c42c208b4a13c2f9df8fd6bdbede7fe59b87c362ddef
Instruction ID: deb75a672100eaaacfa4b5aacb12e75cdb6f536cfa7ddaf25ef7abc36278fd19
Opcode Fuzzy Hash: 1d34c71ca5fc865993d3c42c208b4a13c2f9df8fd6bdbede7fe59b87c362ddef
Instruction Fuzzy Hash: FB718B7291121AABDF16DFA4EC44BAEBBBCFF05310F054215E914A7291D771E905CBA0

Function 003BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(003DCC08), ref: 003BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 003BEB37
GetClipboardData.USER32(0000000D), ref: 003BEB43
CloseClipboard.USER32 ref: 003BEB4F
GlobalLock.KERNEL32(00000000), ref: 003BEB87
CloseClipboard.USER32 ref: 003BEB91
GlobalUnlock.KERNEL32(00000000), ref: 003BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 003BEBC9
GetClipboardData.USER32(00000001), ref: 003BEBD1
GlobalLock.KERNEL32(00000000), ref: 003BEBE2
GlobalUnlock.KERNEL32(00000000), ref: 003BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 003BEC38
GetClipboardData.USER32(0000000F), ref: 003BEC44
GlobalLock.KERNEL32(00000000), ref: 003BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 003BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 003BECD2
GlobalUnlock.KERNEL32(00000000), ref: 003BECF3
CountClipboardFormats.USER32 ref: 003BED14
CloseClipboard.USER32 ref: 003BED59

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: a0d32a248556bca67bb413e7fdfa18161433ff5c45ee37a0ef71524399124952
Instruction ID: 0f9bed9e9e4aedf30ec3e80a8529237f837ae8fee2f1c1061d915ca0039e90f4
Opcode Fuzzy Hash: a0d32a248556bca67bb413e7fdfa18161433ff5c45ee37a0ef71524399124952
Instruction Fuzzy Hash: C461F4352143029FD302EF28D895FAA77E8EF84708F08551EF5569B6A2CB71ED05CB62

Function 003B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003B69BE
FindClose.KERNEL32(00000000), ref: 003B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003B6A75

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 003B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 003B6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 003B6B6A
%03d, xrefs: 003B6DA2
%02d, xrefs: 003B6C00, 003B6C0A, 003B6C5A, 003B6CAA, 003B6CFA, 003B6D4A
%4d, xrefs: 003B6BB1
%4d%02d%02d%02d%02d%02d%03d, xrefs: 003B6B32

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 577668ce614aa5b9ab892dd472e80135011b0b6e9b1340e229d25f5482c9b25c
Instruction ID: c8a314a7edafd2916bb20a325d2b2b49f38525f7bbd29116669ca538876f3b0b
Opcode Fuzzy Hash: 577668ce614aa5b9ab892dd472e80135011b0b6e9b1340e229d25f5482c9b25c
Instruction Fuzzy Hash: 47D154715083009FC711EBA4D986EAFB7ECAF88704F44491EF585DB191EB74EA48CB62

Function 003B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 003B9663
GetFileAttributesW.KERNEL32(?), ref: 003B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 003B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 003B96D3
FindClose.KERNEL32(00000000), ref: 003B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 003B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 003B974A
SetCurrentDirectoryW.KERNEL32(00406B7C), ref: 003B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 003B9772
FindClose.KERNEL32(00000000), ref: 003B977F
FindClose.KERNEL32(00000000), ref: 003B978F

Strings

*.*, xrefs: 003B96F5

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 26e4afb8191699392ca1b3472e0750a67fd2404c0a89486f7eadd1bff7c8a40b
Instruction ID: 1a3552c255ed5404ad74e3cab82f0e6e024074afcfa0c5d1afd57140bd2111b0
Opcode Fuzzy Hash: 26e4afb8191699392ca1b3472e0750a67fd2404c0a89486f7eadd1bff7c8a40b
Instruction Fuzzy Hash: D631E27252121A6ACF12AFB4EC49BDE37EC9F09324F114567FA05E21A0EB34DD40CA54

Function 003B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 003B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 003B9819
FindClose.KERNEL32(00000000), ref: 003B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 003B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 003B9890
SetCurrentDirectoryW.KERNEL32(00406B7C), ref: 003B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 003B98B8
FindClose.KERNEL32(00000000), ref: 003B98C5
FindClose.KERNEL32(00000000), ref: 003B98D5

Part of subcall function 003ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003ADB00

Strings

*.*, xrefs: 003B983B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 9033969a80e604566d65ec2b13d15ec6b792bcf3914e6766b3f4d9e941ef3e6e
Instruction ID: c1fd4ce79c97f9be2a454657ab4f49e9083d252e225f2f6350e845e3d7736d76
Opcode Fuzzy Hash: 9033969a80e604566d65ec2b13d15ec6b792bcf3914e6766b3f4d9e941ef3e6e
Instruction Fuzzy Hash: 0B31F23251121A6ADF12EFB4EC48BDE77BC9F06324F118567EB14E25E0DB31DA84CA64

Function 003CBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003CB6AE,?,?), ref: 003CC9B5
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CC9F1
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CCA68
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003CBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 003CBFA9
RegCloseKey.ADVAPI32(00000000), ref: 003CBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003CC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003CC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 003CC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 003CC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 003CC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 003CC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 003CC382
RegCloseKey.ADVAPI32(00000000), ref: 003CC38F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 6e945bb4d7bd760a3ce6bdf07d07886f4494afc87618013abcb21527948fc7d6
Instruction ID: 5c2079983cdb6936633dead4d11f9949aa27d0fb534a0588778e1f691fe1ccdb
Opcode Fuzzy Hash: 6e945bb4d7bd760a3ce6bdf07d07886f4494afc87618013abcb21527948fc7d6
Instruction Fuzzy Hash: 9F0239716142409FC716DF28C895F2ABBE5AF89308F19889DE84ACF2A2D731ED45CB51

Function 003B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 003B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 003B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 003B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 003B8395

Strings

*.*, xrefs: 003B839B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: e3db7c34b910a0a65fc9379c0794e25aa91eb29ee7e95809dd156571179392e9
Instruction ID: c9c7423ca2edbe8070a7d9b68f4dadec6f33c3a4c001b2482691d4df6cbfd4b5
Opcode Fuzzy Hash: e3db7c34b910a0a65fc9379c0794e25aa91eb29ee7e95809dd156571179392e9
Instruction Fuzzy Hash: 33617A765143459FCB12EF64C840AAEB3ECFF89314F04891EFA898B651DB35E905CB92

Function 003AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00343AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00343A97,?,?,00342E7F,?,?,?,00000000), ref: 00343AC2

Part of subcall function 003AE199: GetFileAttributesW.KERNEL32(?,003ACF95), ref: 003AE19A

FindFirstFileW.KERNEL32(?,?), ref: 003AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 003AD1DD
MoveFileW.KERNEL32(?,?), ref: 003AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 003AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 003AD237

Part of subcall function 003AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,003AD21C,?,?), ref: 003AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 003AD253
FindClose.KERNEL32(00000000), ref: 003AD264

Strings

\*.*, xrefs: 003AD0CD, 003AD0D6, 003AD0EB

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 7724b3a99bc4075bdd7b0d5a6c2f0920ca43ba9e839f24d3bf484f0ce37d8688
Instruction ID: 8ad8800ac643835e3fe0fe393b1cd2ee153ff3ce9ba10cae71ff1196a53727e6
Opcode Fuzzy Hash: 7724b3a99bc4075bdd7b0d5a6c2f0920ca43ba9e839f24d3bf484f0ce37d8688
Instruction Fuzzy Hash: DD616E3184114D9BCF06EBE0D992AEDB7B9EF56300F204566E4027B192EB30AF09CB60

Function 003BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 003BED91
EmptyClipboard.USER32 ref: 003BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 003BEDAC
CloseClipboard.USER32 ref: 003BEEA3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 27dcedb17306bfdfc65abf92454eca270a813d7c6e98516a6be4c2000c5753d4
Instruction ID: db5356ffefd939eeb5a319a7fcd8eafbd8da853b715dd59f1346079bb55a556d
Opcode Fuzzy Hash: 27dcedb17306bfdfc65abf92454eca270a813d7c6e98516a6be4c2000c5753d4
Instruction Fuzzy Hash: 3741EF30215212AFE712CF19E888B99BBE8EF44318F05D09DE9158FA62C775EC41CB80

Function 003AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003A170D
Part of subcall function 003A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003A173A
Part of subcall function 003A16C3: GetLastError.KERNEL32 ref: 003A174A

ExitWindowsEx.USER32(?,00000000), ref: 003AE932

Strings

, xrefs: 003AE95C
SeShutdownPrivilege, xrefs: 003AE902
, xrefs: 003AE920
@, xrefs: 003AE925

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 62cb944c317300a0fcc7b54607f499ea809c40d79c0f94203531493b4cb2b704
Instruction ID: 17b542632cfb25ea5768e0c3ed5d6ecd28ff8b667a1f269e4a0d666b626e47ed
Opcode Fuzzy Hash: 62cb944c317300a0fcc7b54607f499ea809c40d79c0f94203531493b4cb2b704
Instruction Fuzzy Hash: A1014972620311ABEB5626B4AC8AFFF735CEB06740F16082AFC13F60D1D7AC5C4081A4

Function 003C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003C1276
WSAGetLastError.WSOCK32 ref: 003C1283
bind.WSOCK32(00000000,?,00000010), ref: 003C12BA
WSAGetLastError.WSOCK32 ref: 003C12C5
closesocket.WSOCK32(00000000), ref: 003C12F4
listen.WSOCK32(00000000,00000005), ref: 003C1303
WSAGetLastError.WSOCK32 ref: 003C130D
closesocket.WSOCK32(00000000), ref: 003C133C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ba3881dd1fae1d07442f27beeb1f8c2cb7855ffbe95053bd0aa2a68e97e9bd74
Instruction ID: 9d794d8ce1d29e3888d20a070d6de69e68d17e92f2bb4da7261c896bac06ffea
Opcode Fuzzy Hash: ba3881dd1fae1d07442f27beeb1f8c2cb7855ffbe95053bd0aa2a68e97e9bd74
Instruction Fuzzy Hash: 2441AD35A001419FD712DF24D488F2AFBE5AF46318F19858DE8568F2A7C731ED81DBA0

Function 0037B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0037B9D4
_free.LIBCMT ref: 0037B9F8
_free.LIBCMT ref: 0037BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003E3700), ref: 0037BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0041121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0037BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00411270,000000FF,?,0000003F,00000000,?), ref: 0037BC36
_free.LIBCMT ref: 0037BD4B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 4432f67dbfba03a4eba83da0cb549f064f6c4c2caf7bf5f94baff6b559168495
Instruction ID: 967456fb6e59edc3115d4b41ce2ea5978200037a6929e4ac64e245c3535d959f
Opcode Fuzzy Hash: 4432f67dbfba03a4eba83da0cb549f064f6c4c2caf7bf5f94baff6b559168495
Instruction Fuzzy Hash: 2AC129759042059FDB33AF788C41BAAFBB8EF42310F15C1AAE999DB251E7388E41C750

Function 003AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00343AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00343A97,?,?,00342E7F,?,?,?,00000000), ref: 00343AC2

Part of subcall function 003AE199: GetFileAttributesW.KERNEL32(?,003ACF95), ref: 003AE19A

FindFirstFileW.KERNEL32(?,?), ref: 003AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 003AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 003AD481
FindClose.KERNEL32(00000000), ref: 003AD498
FindClose.KERNEL32(00000000), ref: 003AD4A1

Strings

\*.*, xrefs: 003AD3F2

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: e308b34c6ca5fff8e1973acd8f13140ae4c5c5945bff51172e8978550ab28d76
Instruction ID: 0256816a9e138704853236ebed3e713266a7473de928400668152d6354e06fce
Opcode Fuzzy Hash: e308b34c6ca5fff8e1973acd8f13140ae4c5c5945bff51172e8978550ab28d76
Instruction Fuzzy Hash: BA3170710193459FC702EF64D8569AF77E8EE96304F444E1EF4D25B1A1EB30AA09C763

Function 0037E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0037E645

Strings

1#QNAN, xrefs: 0037F84B
1#INF, xrefs: 0037F852
1#SNAN, xrefs: 0037F844
1#IND, xrefs: 0037F83D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: fb4a72e0681c92d4beb463cad84a3fe148b23a65bdee15bfcea0fc7a659153cd
Instruction ID: 38e4480948d197e80aec07c5f67638f9d629278b11056bc1ab4c54df8004e0d5
Opcode Fuzzy Hash: fb4a72e0681c92d4beb463cad84a3fe148b23a65bdee15bfcea0fc7a659153cd
Instruction Fuzzy Hash: 70C21B71E086298FDB36CE289D407E9B7B9FB49315F1581EAD44DE7240E778AE818F40

Function 003B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003B64DC
CoInitialize.OLE32(00000000), ref: 003B6639
CoCreateInstance.OLE32(003DFCF8,00000000,00000001,003DFB68,?), ref: 003B6650
CoUninitialize.OLE32 ref: 003B68D4

Strings

.lnk, xrefs: 003B64BA, 003B6524, 003B65E0

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 74eb78adc6eed6f19a93634e00f191dbbf8f8533bb69cc3424a990d1041033c1
Instruction ID: db5be4ce87371888006cdb1f60a851edd7dbec206dd8d0eeb0b8705659ce26c2
Opcode Fuzzy Hash: 74eb78adc6eed6f19a93634e00f191dbbf8f8533bb69cc3424a990d1041033c1
Instruction Fuzzy Hash: 5AD139715082019FC315EF24C881EABB7E9FF95708F10496DF5958B2A2DB71ED09CB92

Function 003C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 003C22E8

Part of subcall function 003BE4EC: GetWindowRect.USER32(?,?), ref: 003BE504

GetDesktopWindow.USER32 ref: 003C2312
GetWindowRect.USER32(00000000), ref: 003C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 003C2355
GetCursorPos.USER32(?), ref: 003C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003C23DF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 59ad38491d1614b8e9cdc10955df483f1693b390befd2818d44d6bfb9ea21b7f
Instruction ID: efecd17249da82190f8179bb175d64d285124832a5bffb22c10563b7ce5807e0
Opcode Fuzzy Hash: 59ad38491d1614b8e9cdc10955df483f1693b390befd2818d44d6bfb9ea21b7f
Instruction Fuzzy Hash: D631DC72105346ABC722DF14D808F9BBBAAFB85710F000A1EF984D7181DB34EE08CB92

Function 003B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 003B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 003B9C8B

Part of subcall function 003B3874: GetInputState.USER32 ref: 003B38CB
Part of subcall function 003B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 003B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 003B9C75

Strings

*.*, xrefs: 003B9B5D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: c0cc2d8064153b77db5ef7bb366d2f224de62af150e4e52997091a29ac8791c7
Instruction ID: 12de3fc00d85610ac0617c03fb5c71ec732411c3fe3b8566d3c64bba871b0126
Opcode Fuzzy Hash: c0cc2d8064153b77db5ef7bb366d2f224de62af150e4e52997091a29ac8791c7
Instruction Fuzzy Hash: 1C414E7194420A9BDF16DFA4D889BEE7BF8EF05314F244156E605A7191EB30AE44CB60

Function 00348060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00385DAA
VUUU, xrefs: 003483E8
ERCP, xrefs: 0034813C
VUUU, xrefs: 003483FA
VUUU, xrefs: 0034843C
VUUU, xrefs: 00385DF0

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: 68835d3d637170baee02205a080158226f970612b560f21b1431b430d3ad8d45
Instruction ID: e18e46aa053b8cfa5b656ffe923dae26720ff2f05bc773dfbb4c8d558c13f8d8
Opcode Fuzzy Hash: 68835d3d637170baee02205a080158226f970612b560f21b1431b430d3ad8d45
Instruction Fuzzy Hash: 9BA2AE70E0021ACBDF26DF58C8417AEB7B1BF54314F2585EAE815AB681DB74AD81CF90

Function 0035997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00359BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00359BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00359A4E
GetSysColor.USER32(0000000F), ref: 00359B23
SetBkColor.GDI32(?,00000000), ref: 00359B36

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 4ae7cdbb753ec45eb70051ba7871ba5cc3fae90c762e6d1050c7502bf63e866e
Instruction ID: 645cdad24a686f6f07c11307feed941543de4d9574ddd0b8bf5d76e52357acb8
Opcode Fuzzy Hash: 4ae7cdbb753ec45eb70051ba7871ba5cc3fae90c762e6d1050c7502bf63e866e
Instruction Fuzzy Hash: 92A12DB1228544EEEB27AB3C9C48FBB365DDB42341F17411BF902CAAF1CA259D05C275

Function 003C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003C307A
Part of subcall function 003C304E: _wcslen.LIBCMT ref: 003C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 003C185D
WSAGetLastError.WSOCK32 ref: 003C1884
bind.WSOCK32(00000000,?,00000010), ref: 003C18DB
WSAGetLastError.WSOCK32 ref: 003C18E6
closesocket.WSOCK32(00000000), ref: 003C1915

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 56cea04349c7aed289e2952775de3bcdb028de396513ffb065b7326161fc733a
Instruction ID: 87748379f6619c5c8e12d2a61eafa1e89c3100e86ae19d40100399dc0d13cfaa
Opcode Fuzzy Hash: 56cea04349c7aed289e2952775de3bcdb028de396513ffb065b7326161fc733a
Instruction Fuzzy Hash: B9519071A00210AFDB12AF24C886F2AB7E5AB45718F18849CF9069F393C771AD41DBA1

Function 003D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 003D1CC0
IsWindowEnabled.USER32 ref: 003D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 003D1CDB
IsIconic.USER32 ref: 003D1CE9
IsZoomed.USER32 ref: 003D1CF7

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d80cdb2358a46a70b8ad775bced04f259c92e8c79edb7bfc9d04495cbaface34
Instruction ID: ea5effb3378c798d08d4e60837cc28b3c730b48072f2215ddcd5320627a38092
Opcode Fuzzy Hash: d80cdb2358a46a70b8ad775bced04f259c92e8c79edb7bfc9d04495cbaface34
Instruction Fuzzy Hash: 632129327612016FD7228F1AE844F267BE9EF85310F19805AE845CB351CB71EC42CB90

Function 003A8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003A82AA

Strings

|, xrefs: 003A82DA
tb@, xrefs: 003A84F4
(, xrefs: 003A82F0

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tb@$|
API String ID: 1659193697-3099576147
Opcode ID: 9dc01f16710acf0bdeb14ab6846d032535d18b7a1322705f8475a83d2ae89091
Instruction ID: 58fb556454e45cc18d657d9b1afd261a86ef3ebf331155861d324ea4bff8fb87
Opcode Fuzzy Hash: 9dc01f16710acf0bdeb14ab6846d032535d18b7a1322705f8475a83d2ae89091
Instruction Fuzzy Hash: 43323578A007059FCB29CF59C481A6AB7F0FF48710B15C56EE59ADB7A1EB70E981CB40

Function 003AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 003AAAAC
SetKeyboardState.USER32(00000080), ref: 003AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 003AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 003AAB88

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 0d1658fd442e148631e93b6fc08dd82f83f975c2afeafa311e108bf8513fcff9
Instruction ID: bea9c980697d07e5c3cbc4a17e0f24b94bcef8424453dfa32af7740c17462c61
Opcode Fuzzy Hash: 0d1658fd442e148631e93b6fc08dd82f83f975c2afeafa311e108bf8513fcff9
Instruction Fuzzy Hash: 9B313932A50A08AEFF37CB64CC05BFA7BAAEB46310F04421BF181965D1D3758981D7B2

Function 003BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 003BCE89
GetLastError.KERNEL32(?,00000000), ref: 003BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 003BCEFE

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: fab2b74c0b42b79afa07b2ad8d7bee359141fe1e10d0ae9f19244414e9a8fce2
Instruction ID: bf76421fd296aa0e641d97e6d2bc64f248c8b655cb7ac5430d3338f5d9a23666
Opcode Fuzzy Hash: fab2b74c0b42b79afa07b2ad8d7bee359141fe1e10d0ae9f19244414e9a8fce2
Instruction Fuzzy Hash: 2321BD71A20306DBDB32DFA5D948BA777FCEB00319F10941EE64692951E774EE04CBA4

Function 003B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 003B5D17
FindClose.KERNEL32(?), ref: 003B5D5F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: cb6d0b4ca602d6d935dfcdc713fe7b0d7716a0e750fd723327a2c7f2fc9f6249
Instruction ID: e4fb545702cb45eaeb1c740bdb3693410a91e089a9d2c9552de7ad078dd0680b
Opcode Fuzzy Hash: cb6d0b4ca602d6d935dfcdc713fe7b0d7716a0e750fd723327a2c7f2fc9f6249
Instruction Fuzzy Hash: 14518974604A019FC716DF28C494A96B7E4FF49318F15865EEA5A8B3A1CB30F905CB91

Function 00372622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0037271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00372724
UnhandledExceptionFilter.KERNEL32(?), ref: 00372731

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: ec0b70bd36a48a1312b1507e1a94c3a53e615b00762413f2cfbb71c252040993
Instruction ID: fd5cf2847817beae492b3ef07d89f83b324c6ead8d1a1b6bce894abd26de8531
Opcode Fuzzy Hash: ec0b70bd36a48a1312b1507e1a94c3a53e615b00762413f2cfbb71c252040993
Instruction Fuzzy Hash: C631D5749112189BCB26DF68DD8979DB7B8AF08310F5082EAE80CA7261E7349F81CF44

Function 003B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003B5238
SetErrorMode.KERNEL32(00000000), ref: 003B52A1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 1c04b49383734df8de67d290d66ca8438e906197b49b616d4010dcffa3fc6363
Instruction ID: 0cedc7f26e47b42fe4295c666b3c46b634a1bcbd4e6cbe3a62cfd837b86c9538
Opcode Fuzzy Hash: 1c04b49383734df8de67d290d66ca8438e906197b49b616d4010dcffa3fc6363
Instruction Fuzzy Hash: DB315A35A105189FDB01DF54D884AADBBB4FF09318F048499E905AF362CB32E846CB90

Function 003A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0035FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00360668
Part of subcall function 0035FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00360685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003A173A
GetLastError.KERNEL32 ref: 003A174A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 7175eed47f1567c84dd456736e20f7f5f21d3d89cf693499ff1186e9140db81c
Instruction ID: eb6103c36e3b091ebccd1407977b9b1ed2a57e17d361eb9c29294435fdf53c6a
Opcode Fuzzy Hash: 7175eed47f1567c84dd456736e20f7f5f21d3d89cf693499ff1186e9140db81c
Instruction Fuzzy Hash: 6411BCB2820205AFD719AF54EC86D6AB7FDEB04714F20852EE45696251EB70FC41CA20

Function 003AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 003AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 003AD650

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 4fac0577b8c215eb35bdfe9fdd5995897331268600045d870c4cb9605fcdf667
Instruction ID: 8db0d5c76981a02a5992972f3cdfe261eda9f6b9a55ed26cc98a30089923e92a
Opcode Fuzzy Hash: 4fac0577b8c215eb35bdfe9fdd5995897331268600045d870c4cb9605fcdf667
Instruction Fuzzy Hash: 48118E75E05228BFDB118FA4EC44FAFBBBCEB45B50F108112F904E7290C2704A018BA1

Function 003A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 003A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003A16A1
FreeSid.ADVAPI32(?), ref: 003A16B1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 45e2ca1d7048fce5c070a600c211159948a05c7a8c7aa3c9584a1892c24b91d7
Instruction ID: 5e696d488e05dd69cad0e696c9d0be493e58410aebc1ce3e4b80a3de45f24ba3
Opcode Fuzzy Hash: 45e2ca1d7048fce5c070a600c211159948a05c7a8c7aa3c9584a1892c24b91d7
Instruction Fuzzy Hash: ACF0F471961309FBDF01DFE49C89AAEBBBCEB08704F504565E901E2191E774EA448A50

Function 0037C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0037C36C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 55ae83319ad74f06ef512bdf29e2758af9d27a64544058ba3fd190d32ac4e9cf
Instruction ID: ce454abe1739fb85c64c1c5c6ea50d59012148833ac265880e1bcb3a3ec4f84e
Opcode Fuzzy Hash: 55ae83319ad74f06ef512bdf29e2758af9d27a64544058ba3fd190d32ac4e9cf
Instruction Fuzzy Hash: 7D414976500219AFDB319FB9DC88DBB77B8EB84314F10866DF909DB181E6389D41CB50

Function 0039D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0039D28C

Strings

X64, xrefs: 0039D2A8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 8b5714a800a7c89362327e6c60ede8b02caa8bceb7900d54e4c601e562388474
Instruction ID: 35f693fba817b64cde4bff36099300647713f7594e67cc2be5f5b4ab0c0eb255
Opcode Fuzzy Hash: 8b5714a800a7c89362327e6c60ede8b02caa8bceb7900d54e4c601e562388474
Instruction Fuzzy Hash: FBD0C9B481111DEACF91CB90EC88DD9B37CBB04305F100552F506A2480D73095488F10

Function 0036CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 8f9e4578271c914b13bfa5ffded5b37efad2d62b28c540e61e36210f186396af
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 15024B71E102199BDF15CFA9C8806ADFBF1EF88314F25816AD859EB384D731AE018B90

Function 0034CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#A, xrefs: 0034CF7F
Variable is not of type 'Object'., xrefs: 00390C40

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#A
API String ID: 0-1342752299
Opcode ID: 3506ba6ef860ca1875c42b8ed3bcf9d35910eb2963da88acc8ce0337b78b351b
Instruction ID: 64f4e63983a11620727d113bed11b796e3f21aad422e9953668b9d5d98ac4a45
Opcode Fuzzy Hash: 3506ba6ef860ca1875c42b8ed3bcf9d35910eb2963da88acc8ce0337b78b351b
Instruction Fuzzy Hash: 4E327970911218DFCF5ADF90C980AEDB7F9BF05304F159069E806AF292DB75AE4ACB50

Function 003B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003B6918
FindClose.KERNEL32(00000000), ref: 003B6961

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 4b53b5ab1f7ec5015380ee4a105f32cd9b2dedb718607522a44a29fbfadc0f6b
Instruction ID: e52eb0425eeef6afa79a61d720cf750b78de90eb72118095f846b77417691062
Opcode Fuzzy Hash: 4b53b5ab1f7ec5015380ee4a105f32cd9b2dedb718607522a44a29fbfadc0f6b
Instruction Fuzzy Hash: FA11E2316142019FC711CF29D485A16BBE4FF85328F05C699F9698F7A2C734EC05CB90

Function 003B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,003C4891,?,?,00000035,?), ref: 003B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,003C4891,?,?,00000035,?), ref: 003B37F4

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3eccd08afc1215c372d837596cd3e80f332ae6e17dd59585159b1d52867e24d2
Instruction ID: 0ccb1214e14a63d2f3c0d81824b22b57de1d1393e73dcb06013635d2c079a810
Opcode Fuzzy Hash: 3eccd08afc1215c372d837596cd3e80f332ae6e17dd59585159b1d52867e24d2
Instruction Fuzzy Hash: 74F0EC706153396AD71117655C4DFDB379DEFC4765F000265F609D2581D9605D04C7B0

Function 003AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 003AB25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 003AB270

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 6f6e78efa638b91882982cd5c0ef1bdcdaedacbbdd7364c531733eaf8a76230f
Instruction ID: e96bc791ecee612fee9ade29ed81a0a2e6f2bf296604c3780ffb64e1562b40c2
Opcode Fuzzy Hash: 6f6e78efa638b91882982cd5c0ef1bdcdaedacbbdd7364c531733eaf8a76230f
Instruction Fuzzy Hash: D6F01D7181424EABDB069FA1D805BAEBBB4FF05305F00944AF955A5192C3798611DF94

Function 003A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003A11FC), ref: 003A10D4
CloseHandle.KERNEL32(?,?,003A11FC), ref: 003A10E9

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: dd89aa90b345568d4be62b9cca0770c469e4a20412e33baf4d4436d9f997b6b2
Instruction ID: 10e22356888c9e57b7114efac85af010f19f8191df09abecd4bd7e35bd782ef9
Opcode Fuzzy Hash: dd89aa90b345568d4be62b9cca0770c469e4a20412e33baf4d4436d9f997b6b2
Instruction Fuzzy Hash: D6E04F32024601AEE7262B11FC06E7377EDEB04311F10882EF8A5844B5DB62AC90DB10

Function 0037676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00376766,?,?,00000008,?,?,0037FEFE,00000000), ref: 00376998

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 629b795e05bd034681a36a65b99cc6ef3e63a37db5534994a4bdfb6d3070d5bc
Instruction ID: c01c6b0a1850bea2574d68415eb99b0976ff01de10009c98fd4cb7eaff4a96fc
Opcode Fuzzy Hash: 629b795e05bd034681a36a65b99cc6ef3e63a37db5534994a4bdfb6d3070d5bc
Instruction Fuzzy Hash: D6B15B71510A099FD72ACF28C496B657BE0FF45364F26C658E89DCF2A2C339D985CB40

Function 0035B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0039851F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 4def34c697595243baa9cb300a717080041f3a2d34f6a6f7b4f32104ceb534cb
Instruction ID: fc45648b7f1af524953ef8e0a22d793d5b0146f4472db2f6d6d5ab58c5a46483
Opcode Fuzzy Hash: 4def34c697595243baa9cb300a717080041f3a2d34f6a6f7b4f32104ceb534cb
Instruction Fuzzy Hash: D3125F759002299FCF26CF59C880AEEB7F5FF49710F15819AE849EB251DB309E85CB90

Function 003BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 003BEABD

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5df69fd4a2229e95f13384ecbf447c2cfe30b532f314cc9a7cb8573b89a5ed89
Instruction ID: 559db8134e0ff83849dde570768ff1757160d708ebe2dcd95dd05b9dab4f7cf4
Opcode Fuzzy Hash: 5df69fd4a2229e95f13384ecbf447c2cfe30b532f314cc9a7cb8573b89a5ed89
Instruction Fuzzy Hash: 06E01A312202049FC711EF69D804E9AF7EDAF98764F008416FD49CB6A1DA70E8408B90

Function 003609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,003603EE), ref: 003609DA

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 902e78d64cf5cc52391b80553ec8b0c89ba44902a16fc63981aaf9e5b52f7065
Instruction ID: d60db3601907482510a5cc5181d7dd28c4a22c8858dc996fde7a19a25a440593
Opcode Fuzzy Hash: 902e78d64cf5cc52391b80553ec8b0c89ba44902a16fc63981aaf9e5b52f7065
Instruction Fuzzy Hash:

Function 0036781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0036798B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 70fec9ec28b8ae148615f96dc34f5fb978b6ca2cba771dbb0dbe9769b6d2cee4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 8451567160C6055ADB3B8678885F7BE23D99B0234CFD9CA09D882CB78EC715EE41D366

Function 003B2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&A, xrefs: 003B2053

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: 0&A
API String ID: 0-422563488
Opcode ID: 352583740ef1d0962f3c875a4b2a0046414656e0ae1304d177eaf0065fb8d52a
Instruction ID: 3b8ee4b02279b2f3641b2ddb7e37430cfccfdc463fa221ebb9b3764e6b6ed632
Opcode Fuzzy Hash: 352583740ef1d0962f3c875a4b2a0046414656e0ae1304d177eaf0065fb8d52a
Instruction Fuzzy Hash: 3121D5322206118BD728CE79C9226BE73E5A754314F158A2EE4A7C77D0DE79A904CB84

Function 00376DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bc83a1d2ad4cbf995768b84e143a8ae67cb849d432976814d3cff7d5c1136a
Instruction ID: 76ed6820870d605d252ce36cdeeb4bed1e3d3ecf57e3b466c7903c7aca2eb4a6
Opcode Fuzzy Hash: 29bc83a1d2ad4cbf995768b84e143a8ae67cb849d432976814d3cff7d5c1136a
Instruction Fuzzy Hash: C6323522D29F414DD7339634CC62336A68DAFB73D5F15D737E82AB99A6EB29C4834100

Function 0035CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a940087837cf2fa142b218c41d955873191a4830aec725dda68374f982f71698
Instruction ID: ed687ed7786508c2bc66dd309b7976db3554f6a93085f9269e270b8cca4d57e3
Opcode Fuzzy Hash: a940087837cf2fa142b218c41d955873191a4830aec725dda68374f982f71698
Instruction Fuzzy Hash: 03327D31A202058FDF27CF28C490A7D7BA5EF45305F2AA526D85ADB6A2D330DD86DB40

Function 00347920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d1a4adba19f0a8e219bd8bbdb9345be214601ebe597ab64080ba27d974bae9
Instruction ID: 570c58f821fda8042394a612e2ebe5396e8fba8286a9103a7d6089505bac8912
Opcode Fuzzy Hash: b3d1a4adba19f0a8e219bd8bbdb9345be214601ebe597ab64080ba27d974bae9
Instruction Fuzzy Hash: 4F22D3B0A04609DFDF16DFA4C981AAEB7F5FF44300F204569E812EB291EB36AD15CB50

Function 003491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2df8041b245c27f4ee153f20a2cca65fcdbb2620102b0c46014a038bc5d9eca7
Instruction ID: 545e17fa04c173105c73826dc88a2f241dc3c7497069646f4f1a22a8a9343eb4
Opcode Fuzzy Hash: 2df8041b245c27f4ee153f20a2cca65fcdbb2620102b0c46014a038bc5d9eca7
Instruction Fuzzy Hash: 1E02A6B1E00209EFDB06EF54D981AAEB7F5FF44300F1185A9E8169F291E731EA14CB95

Function 00361C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 57eb32463a1699e3acf35fc67bb34364529e56e33c46156fc5eee5d6f3c567a5
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B89177725090E34ADB6F463E857403EFFE15A923A131F479ED4F2CA1C9EE20C964E620

Function 003619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: b752282e17b37d35159b91e93ddd069eff6e538cc509079d94eaa8bdcb7ed636
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: F19152722090E34ADB6F427A857403EFFE55A923A231F879DD4F2CB5C9FE14C564A620

Function 00367A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b72eccf640bf66d8c414cff6bff9dd131304de2819213a6d68f7ab60dd22a499
Instruction ID: 37eb70aeed5921c5fe9d9884a6aab872a7647dc087f0849ec8da1e6c80ac39f6
Opcode Fuzzy Hash: b72eccf640bf66d8c414cff6bff9dd131304de2819213a6d68f7ab60dd22a499
Instruction Fuzzy Hash: BB61793120834956DA379AA8C8A5BBE2398DF4170CFE1CA19E843DF38DDA519E42C355

Function 00367CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148f4e5b2bd3de8c6c2ba9c1445c652e16bae60d6760ef95262187ea97741bb2
Instruction ID: 31b8a0247ef97801a6584958675d999552e862de9670f8c9efa9053beb789a26
Opcode Fuzzy Hash: 148f4e5b2bd3de8c6c2ba9c1445c652e16bae60d6760ef95262187ea97741bb2
Instruction Fuzzy Hash: 0561AC3120870953DF3B9A288895BBF2388DF4274CFD1CD59E943DF68DEA129D468355

Function 00361706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e1d5a5bf63833172e72a2b6494997c2858de8700825246b48bd97f16b5bca11d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A88163726090E30EDB6F863A853443EFFE15A923A131F879DD4F2CB5C9EE248554E660

Function 003C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003C2B30
DeleteObject.GDI32(00000000), ref: 003C2B43
DestroyWindow.USER32 ref: 003C2B52
GetDesktopWindow.USER32 ref: 003C2B6D
GetWindowRect.USER32(00000000), ref: 003C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 003C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 003C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003C2CF8
GetClientRect.USER32(00000000,?), ref: 003C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003C2D80
GlobalLock.KERNEL32(00000000), ref: 003C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003C2D98
GlobalUnlock.KERNEL32(00000000), ref: 003C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003C2DA8
GlobalFree.KERNEL32(00000000), ref: 003C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,003DFC38,00000000), ref: 003C2DDB
GlobalFree.KERNEL32(00000000), ref: 003C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 003C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 003C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003C303F

Strings

static, xrefs: 003C2D3A, 003C2E91
, xrefs: 003C2FC5
AutoIt v3, xrefs: 003C2CF2
DISPLAY, xrefs: 003C2EA2

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 5a28a6685308a2548b905f5a8ec128f0124a7c7567db7aeede2a7e40cdcdf5f9
Instruction ID: b02d658e9c6119808f281f6fc7bd353906321378038614a1d7fde4d69023c372
Opcode Fuzzy Hash: 5a28a6685308a2548b905f5a8ec128f0124a7c7567db7aeede2a7e40cdcdf5f9
Instruction Fuzzy Hash: 11028E71910219AFDB16DF64DC89EAEBBB9FF49310F048559F915AB2A1CB70ED00CB60

Function 003D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 003D712F
GetSysColorBrush.USER32(0000000F), ref: 003D7160
GetSysColor.USER32(0000000F), ref: 003D716C
SetBkColor.GDI32(?,000000FF), ref: 003D7186
SelectObject.GDI32(?,?), ref: 003D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 003D71C0
GetSysColor.USER32(00000010), ref: 003D71C8
CreateSolidBrush.GDI32(00000000), ref: 003D71CF
FrameRect.USER32(?,?,00000000), ref: 003D71DE
DeleteObject.GDI32(00000000), ref: 003D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 003D7230
FillRect.USER32(?,?,?), ref: 003D7262
GetWindowLongW.USER32(?,000000F0), ref: 003D7284

Part of subcall function 003D73E8: GetSysColor.USER32(00000012), ref: 003D7421
Part of subcall function 003D73E8: SetTextColor.GDI32(?,?), ref: 003D7425
Part of subcall function 003D73E8: GetSysColorBrush.USER32(0000000F), ref: 003D743B
Part of subcall function 003D73E8: GetSysColor.USER32(0000000F), ref: 003D7446
Part of subcall function 003D73E8: GetSysColor.USER32(00000011), ref: 003D7463
Part of subcall function 003D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003D7471
Part of subcall function 003D73E8: SelectObject.GDI32(?,00000000), ref: 003D7482
Part of subcall function 003D73E8: SetBkColor.GDI32(?,00000000), ref: 003D748B
Part of subcall function 003D73E8: SelectObject.GDI32(?,?), ref: 003D7498
Part of subcall function 003D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 003D74B7
Part of subcall function 003D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003D74CE
Part of subcall function 003D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 003D74DB

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 0bf51f00755f22de8fbf46695d010b54ffe063329cdc5f85d9ba362084012fb6
Instruction ID: ff8f5c0904b89925f71c85d4e1413b3ab1264f709e1d2607e48bbc15463beb26
Opcode Fuzzy Hash: 0bf51f00755f22de8fbf46695d010b54ffe063329cdc5f85d9ba362084012fb6
Instruction Fuzzy Hash: C4A1A272029312AFDB029F60EC48E5BBBADFF49321F101B1AF962961E1D771E944CB51

Function 00358D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00358E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00396AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00396AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00396F43

Part of subcall function 00358F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00358BE8,?,00000000,?,?,?,?,00358BBA,00000000,?), ref: 00358FC5

SendMessageW.USER32(?,00001053), ref: 00396F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00396F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00396FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00396FB7

Strings

0, xrefs: 00396DCF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: f7c7fe61e66da0c295e3af4449408ff108db01371fe907ab3ee045a2d6561844
Instruction ID: e8de4877051ffd8936b2ce0d943629137bdda03a5ae9940b5572d1135c85c5ee
Opcode Fuzzy Hash: f7c7fe61e66da0c295e3af4449408ff108db01371fe907ab3ee045a2d6561844
Instruction Fuzzy Hash: 8512DA30612202DFCB22CF24D996BAAB7F9FB44301F158029F9959B661CB31EC55CB91

Function 003C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 003C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 003C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 003C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 003C2900
GetClientRect.USER32(00000000,?), ref: 003C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 003C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003C2964
GetStockObject.GDI32(00000011), ref: 003C2974
SelectObject.GDI32(00000000,00000000), ref: 003C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 003C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003C2991
DeleteDC.GDI32(00000000), ref: 003C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 003C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 003C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 003C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 003C2A77
GetStockObject.GDI32(00000011), ref: 003C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 003C2A97

Strings

static, xrefs: 003C294F, 003C2A71
msctls_progress32, xrefs: 003C2A13
AutoIt v3, xrefs: 003C28F8
DISPLAY, xrefs: 003C295A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 62396a6f399bb3ad7875c3d300bf2d80bdf033748a8b536b2f95d13e3f1914c8
Instruction ID: 979b1c1d7d9febed58f88f07f807a9b3d5bd76c276a7024f72d68837a0cccf46
Opcode Fuzzy Hash: 62396a6f399bb3ad7875c3d300bf2d80bdf033748a8b536b2f95d13e3f1914c8
Instruction Fuzzy Hash: 9EB16071A50219AFEB15DF68DC85FAFBBA9EB04710F008159FA15EB2A0D770ED40CB54

Function 003B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003B4AED
GetDriveTypeW.KERNEL32(?,003DCB68,?,\\.\,003DCC08), ref: 003B4BCA
SetErrorMode.KERNEL32(00000000,003DCB68,?,\\.\,003DCC08), ref: 003B4D36

Strings

FileBackedVirtual, xrefs: 003B4CEC
USB, xrefs: 003B4CB4
iSCSI, xrefs: 003B4CC2
SATA, xrefs: 003B4CD0
Removable, xrefs: 003B4C10, 003B4C15
PhysicalDrive, xrefs: 003B4B76
SCSI, xrefs: 003B4C8A
\\.\, xrefs: 003B4B3F
Fibre, xrefs: 003B4CAD
RAID, xrefs: 003B4CBB
Virtual, xrefs: 003B4CE5
Fixed, xrefs: 003B4C09
SSA, xrefs: 003B4CA6
CDROM, xrefs: 003B4BFB
1394, xrefs: 003B4C9F
RAMDisk, xrefs: 003B4BF4
ATA, xrefs: 003B4C98
MMC, xrefs: 003B4CDE
SAS, xrefs: 003B4CC9
SSD, xrefs: 003B4C4A
Network, xrefs: 003B4C02
Unknown, xrefs: 003B4BED, 003B4C83
ATAPI, xrefs: 003B4C91

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: f90744d01255fc505c815ec4e418bdb4fa6c14ba57560835b44a5f7a38e74509
Instruction ID: 8a3c7731e5cc22e185bfb63248319824d3d879209aaa4c8cf0e650709028ba01
Opcode Fuzzy Hash: f90744d01255fc505c815ec4e418bdb4fa6c14ba57560835b44a5f7a38e74509
Instruction Fuzzy Hash: 4561C630705205ABCB06DF14C981AF97BA4EF04B08B218426FA07AFE97DB35ED55DB49

Function 003D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 003D7421
SetTextColor.GDI32(?,?), ref: 003D7425
GetSysColorBrush.USER32(0000000F), ref: 003D743B
GetSysColor.USER32(0000000F), ref: 003D7446
CreateSolidBrush.GDI32(?), ref: 003D744B
GetSysColor.USER32(00000011), ref: 003D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 003D7471
SelectObject.GDI32(?,00000000), ref: 003D7482
SetBkColor.GDI32(?,00000000), ref: 003D748B
SelectObject.GDI32(?,?), ref: 003D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 003D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 003D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 003D7572
DrawFocusRect.USER32(?,?), ref: 003D757D
GetSysColor.USER32(00000011), ref: 003D758E
SetTextColor.GDI32(?,00000000), ref: 003D7596
DrawTextW.USER32(?,003D70F5,000000FF,?,00000000), ref: 003D75A8
SelectObject.GDI32(?,?), ref: 003D75BF
DeleteObject.GDI32(?), ref: 003D75CA
SelectObject.GDI32(?,?), ref: 003D75D0
DeleteObject.GDI32(?), ref: 003D75D5
SetTextColor.GDI32(?,?), ref: 003D75DB
SetBkColor.GDI32(?,?), ref: 003D75E5

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: cf021e46e5bfe2cd12d69e6da66b8fb1cfb8c111ca4b4088a2d8c08d581a3abe
Instruction ID: 1046d0499a4fe3e6f4aea1fdb2c07088a97cf08f8aa69609a35046b56311977a
Opcode Fuzzy Hash: cf021e46e5bfe2cd12d69e6da66b8fb1cfb8c111ca4b4088a2d8c08d581a3abe
Instruction Fuzzy Hash: 9B617272911219AFDF029FA4EC49EEEBF79EF09320F115116F915AB2A1D7709940CF90

Function 003D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003D1128
GetDesktopWindow.USER32 ref: 003D113D
GetWindowRect.USER32(00000000), ref: 003D1144
GetWindowLongW.USER32(?,000000F0), ref: 003D1199
DestroyWindow.USER32(?), ref: 003D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 003D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 003D1245
IsWindowVisible.USER32(00000000), ref: 003D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 003D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 003D12D0
GetWindowRect.USER32(00000000,?), ref: 003D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 003D130E
GetMonitorInfoW.USER32(00000000,?), ref: 003D1328
CopyRect.USER32(?,?), ref: 003D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 003D13AA

Strings

0, xrefs: 003D10D3
tooltips_class32, xrefs: 003D11E6
(, xrefs: 003D131B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fddd25593c2cae368185bcf7bab593a3c5318315c412d6d426919f716095e04b
Instruction ID: 8af2c8a4b0502ff260bfd1f899f1baeea20fb5a472d1485fbc6506c6945f52a1
Opcode Fuzzy Hash: fddd25593c2cae368185bcf7bab593a3c5318315c412d6d426919f716095e04b
Instruction Fuzzy Hash: 36B18D72618341AFD715DF64E884B6BFBE8FF84350F00891AF9999B2A1C771E844CB91

Function 003D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003D02E5
_wcslen.LIBCMT ref: 003D031F
_wcslen.LIBCMT ref: 003D0389
_wcslen.LIBCMT ref: 003D03F1
_wcslen.LIBCMT ref: 003D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003D0504

Part of subcall function 0035F9F2: _wcslen.LIBCMT ref: 0035F9FD

Part of subcall function 003A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003A2258
Part of subcall function 003A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003A228A

Strings

SELECT, xrefs: 003D0548
GETSUBITEMCOUNT, xrefs: 003D0384, 003D039F
GETTEXT, xrefs: 003D03EC, 003D0407
SELECTINVERT, xrefs: 003D057E
GETITEMCOUNT, xrefs: 003D0316, 003D0337
VIEWCHANGE, xrefs: 003D0675
SELECTALL, xrefs: 003D0515
SELECTCLEAR, xrefs: 003D052D
ISSELECTED, xrefs: 003D04DD
GETSELECTEDCOUNT, xrefs: 003D0470, 003D048B
GETSELECTED, xrefs: 003D05E1
FINDITEM, xrefs: 003D0627
DESELECT, xrefs: 003D059C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: f0c69ba1fe4e1a895d520ac56565db21090da59b39df3b85c68aa44f8921234d
Instruction ID: c4007b4c95781c9e00bc34140fab2a6caa8f4cb9863711b4f6cc9d15c03ed5b4
Opcode Fuzzy Hash: f0c69ba1fe4e1a895d520ac56565db21090da59b39df3b85c68aa44f8921234d
Instruction Fuzzy Hash: BEE1B2326082018FC71ADF24D450A2AB3E6FF89B14F15496EF896AF7A1DB30ED45CB51

Function 00358891 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00358968
GetSystemMetrics.USER32(00000007), ref: 00358970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0035899B
GetSystemMetrics.USER32(00000008), ref: 003589A3
GetSystemMetrics.USER32(00000004), ref: 003589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 003589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 003589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00358A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00358A3C
GetClientRect.USER32(00000000,000000FF), ref: 00358A5A
GetStockObject.GDI32(00000011), ref: 00358A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00358A81

Part of subcall function 0035912D: GetCursorPos.USER32(?), ref: 00359141
Part of subcall function 0035912D: ScreenToClient.USER32(00000000,?), ref: 0035915E
Part of subcall function 0035912D: GetAsyncKeyState.USER32(00000001), ref: 00359183
Part of subcall function 0035912D: GetAsyncKeyState.USER32(00000002), ref: 0035919D

SetTimer.USER32(00000000,00000000,00000028,003590FC), ref: 00358AA8

Strings

AutoIt v3 GUI, xrefs: 00358A20
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 003589BE

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 1458621304-3716850183
Opcode ID: 238c33eca951a6bc1d3c8f98e2b20f3dc796ee2ecb732f9d3dc662385ee509ac
Instruction ID: 8c937c781f69846155e064126d6fc877b5aab812d562448dec0b12f52c99e186
Opcode Fuzzy Hash: 238c33eca951a6bc1d3c8f98e2b20f3dc796ee2ecb732f9d3dc662385ee509ac
Instruction Fuzzy Hash: 5AB17D71A1120A9FDF16DFA8D845FEE3BB5FB48315F11412AFA15AB2A0DB34E840CB54

Function 003A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003A1114
Part of subcall function 003A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,003A0B9B,?,?,?), ref: 003A1120
Part of subcall function 003A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003A0B9B,?,?,?), ref: 003A112F
Part of subcall function 003A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003A0B9B,?,?,?), ref: 003A1136
Part of subcall function 003A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 003A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 003A0E29
GetLengthSid.ADVAPI32(?), ref: 003A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 003A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 003A0E96
GetLengthSid.ADVAPI32(?), ref: 003A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 003A0EB5
HeapAlloc.KERNEL32(00000000), ref: 003A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 003A0EDD
CopySid.ADVAPI32(00000000), ref: 003A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 003A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 003A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 003A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003A0F6E
HeapFree.KERNEL32(00000000), ref: 003A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003A0F7E
HeapFree.KERNEL32(00000000), ref: 003A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003A0F8E
HeapFree.KERNEL32(00000000), ref: 003A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 003A0FA1
HeapFree.KERNEL32(00000000), ref: 003A0FA8

Part of subcall function 003A1193: GetProcessHeap.KERNEL32(00000008,003A0BB1,?,00000000,?,003A0BB1,?), ref: 003A11A1
Part of subcall function 003A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,003A0BB1,?), ref: 003A11A8
Part of subcall function 003A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,003A0BB1,?), ref: 003A11B7

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 071b314d8bfba31d9ab6e5be66e1055e640f6e92fa099595aca01cb880bfb368
Instruction ID: 43f9607d3052a0b68894f857e91b7ed50ec05d5f2869f8f7790e24928d830d76
Opcode Fuzzy Hash: 071b314d8bfba31d9ab6e5be66e1055e640f6e92fa099595aca01cb880bfb368
Instruction Fuzzy Hash: 11715A7291121AEFDF269FA4EC44FAEBBBCFF06301F058116E919B6191D731A905CB60

Function 003CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,003DCC08,00000000,?,00000000,?,?), ref: 003CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 003CC5A4
_wcslen.LIBCMT ref: 003CC5F4
_wcslen.LIBCMT ref: 003CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 003CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 003CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 003CC84D
RegCloseKey.ADVAPI32(?), ref: 003CC881
RegCloseKey.ADVAPI32(00000000), ref: 003CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 003CC960

Strings

REG_BINARY, xrefs: 003CC913
REG_QWORD, xrefs: 003CC8C3
REG_EXPAND_SZ, xrefs: 003CC5CD
REG_SZ, xrefs: 003CC644
REG_DWORD, xrefs: 003CC804
REG_MULTI_SZ, xrefs: 003CC6F5

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a732491b95c537c0edb91a5c0bfeacdf680a23f8f9201d2393b3a67dc4f374d8
Instruction ID: b4e04a646fff60e98a5f97dbbb2d7f6ae5d0e210873c5a945fa6e396944d272e
Opcode Fuzzy Hash: a732491b95c537c0edb91a5c0bfeacdf680a23f8f9201d2393b3a67dc4f374d8
Instruction Fuzzy Hash: B81231356142119FCB16DF24C881E2AB7E5EF89714F05889DF88A9F2A2DB31FC41CB81

Function 003D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003D09C6
_wcslen.LIBCMT ref: 003D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003D0A54
_wcslen.LIBCMT ref: 003D0A8A
_wcslen.LIBCMT ref: 003D0B06
_wcslen.LIBCMT ref: 003D0B81

Part of subcall function 0035F9F2: _wcslen.LIBCMT ref: 0035F9FD

Part of subcall function 003A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003A2BFA

Strings

CHECK, xrefs: 003D0A85, 003D0AA0
GETTOTALCOUNT, xrefs: 003D09F2, 003D0A17
SELECT, xrefs: 003D0D11
COLLAPSE, xrefs: 003D0B01, 003D0B1C
EXISTS, xrefs: 003D0B7C, 003D0B97
ISCHECKED, xrefs: 003D0CE1
EXPAND, xrefs: 003D0BF8
UNCHECK, xrefs: 003D0D3E
GETTEXT, xrefs: 003D0C97
GETSELECTED, xrefs: 003D0C4E
GETITEMCOUNT, xrefs: 003D0C1E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 3225e74da3958fa16d4ea5aaf40e4163f7d2aa8bc7bea984644137a9fa4d0451
Instruction ID: 029c476de8606bbdb3bff5913f8b49f219eb1f2912a21d9bee08cdb380b68070
Opcode Fuzzy Hash: 3225e74da3958fa16d4ea5aaf40e4163f7d2aa8bc7bea984644137a9fa4d0451
Instruction Fuzzy Hash: C9E1AE326087018FC71ADF24C450A2AB7E2FF99714F11895EF8966B3A2D730ED45CB81

Function 003CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,003CB6AE,?,?), ref: 003CC9B5
_wcslen.LIBCMT ref: 003CC9F1
_wcslen.LIBCMT ref: 003CCA68
_wcslen.LIBCMT ref: 003CCA9E
_wcslen.LIBCMT ref: 003CCAF9
_wcslen.LIBCMT ref: 003CCB2F
_wcslen.LIBCMT ref: 003CCB7F

Strings

HKCR, xrefs: 003CCB29, 003CCB2E
HKLM, xrefs: 003CCA98, 003CCA9D
HKEY_USERS, xrefs: 003CCBDF
HKEY_CURRENT_USER, xrefs: 003CCBBD
HKEY_LOCAL_MACHINE, xrefs: 003CCA62, 003CCA67
HKU, xrefs: 003CCBF0
HKEY_CURRENT_CONFIG, xrefs: 003CCB79, 003CCB7E
HKCU, xrefs: 003CCBCE
HKCC, xrefs: 003CCBAC
HKEY_CLASSES_ROOT, xrefs: 003CCAF3, 003CCAF8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 123b4d11ad5d886af76045ae007ccead283ce73bde8a117a06651d0bd5a25007
Instruction ID: 94afc21fe0325ebd28bf76c19fca5aec6937909683a6f71d515446b6e3f153ab
Opcode Fuzzy Hash: 123b4d11ad5d886af76045ae007ccead283ce73bde8a117a06651d0bd5a25007
Instruction Fuzzy Hash: 20710632A2052A8BCB12DE7CC841FBA3395AB60750B12552DFC5EEB284E735ED45C3A1

Function 003D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003D835A
_wcslen.LIBCMT ref: 003D836E
_wcslen.LIBCMT ref: 003D8391
_wcslen.LIBCMT ref: 003D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003D5BF2), ref: 003D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003D8501
FreeLibrary.KERNEL32(?), ref: 003D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003D851D
DestroyIcon.USER32(?,?,?,?,?,003D5BF2), ref: 003D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003D8555

Strings

.icl, xrefs: 003D8368
.dll, xrefs: 003D83AB
.exe, xrefs: 003D8388

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 05d7750764bde5147dc4789b44044ff854b100339ec10dd0410cbd408b3c13de
Instruction ID: e51b430375d8cb8336610ed13f003911f1d57db600c5648605416e4f892b12e1
Opcode Fuzzy Hash: 05d7750764bde5147dc4789b44044ff854b100339ec10dd0410cbd408b3c13de
Instruction Fuzzy Hash: 3061F072910216BAEB16CF65EC41BBF77ACFB05B10F10460AF815DA2D1DB74AA90C7A0

Function 00347778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#comments-start, xrefs: 0034785F, 003478B1
#include, xrefs: 00347847
#comments-end, xrefs: 003478D9
Cannot parse #include, xrefs: 00385279
#include-once, xrefs: 0034782F
Bad directive syntax error, xrefs: 0038519A
Unterminated group of comments, xrefs: 0038528C
#requireadmin, xrefs: 003477FF
#cs, xrefs: 00347873, 003478C5
#OnAutoItStartRegister, xrefs: 00347817
#ce, xrefs: 003478ED
#notrayicon, xrefs: 003477E7
', xrefs: 00385169
", xrefs: 00385153
#pragma compile, xrefs: 003477D3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 5edace483a7b4b5f6243733d0414ea9f3d2959afca6c571d43728c7837f1b351
Instruction ID: 665323f235545165bf8f74c3617836527b7bc3409e5f19dfe0823d13a89b461e
Opcode Fuzzy Hash: 5edace483a7b4b5f6243733d0414ea9f3d2959afca6c571d43728c7837f1b351
Instruction Fuzzy Hash: 5F81F371A44205ABDB23AF60DC42FBE7BE8EF15300F018465F805AF296EB71EA15C791

Function 003B3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 003B3EF8
_wcslen.LIBCMT ref: 003B3F03
_wcslen.LIBCMT ref: 003B3F5A
_wcslen.LIBCMT ref: 003B3F98
GetDriveTypeW.KERNEL32(?), ref: 003B3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003B401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003B4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003B4087

Strings

type cdaudio alias cd wait, xrefs: 003B4001
closed, xrefs: 003B3F08, 003B3F2D, 003B3F46, 003B3F7E, 003B3F97
set cd door , xrefs: 003B4028
open, xrefs: 003B3F54, 003B3F59
close, xrefs: 003B3EFE, 003B3F18
close cd wait, xrefs: 003B4072
wait, xrefs: 003B4044
open , xrefs: 003B3FE5

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4306c1ef4dae0a4b29ef203fcf57cccf8875359b4f024cb98054127ea7f99c9a
Instruction ID: dc4145588efb2aafac7b0031b64fca78b1b93f9667ca4d753ee97af449969ef2
Opcode Fuzzy Hash: 4306c1ef4dae0a4b29ef203fcf57cccf8875359b4f024cb98054127ea7f99c9a
Instruction Fuzzy Hash: 07710432A042119FC311EF24C8819BBB7F4EF94758F11492DFA969B691EB30ED45CB51

Function 003A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 003A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 003A5A40
SetWindowTextW.USER32(?,?), ref: 003A5A57
GetDlgItem.USER32(?,000003EA), ref: 003A5A6C
SetWindowTextW.USER32(00000000,?), ref: 003A5A72
GetDlgItem.USER32(?,000003E9), ref: 003A5A82
SetWindowTextW.USER32(00000000,?), ref: 003A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 003A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 003A5AC3
GetWindowRect.USER32(?,?), ref: 003A5ACC
_wcslen.LIBCMT ref: 003A5B33
SetWindowTextW.USER32(?,?), ref: 003A5B6F
GetDesktopWindow.USER32 ref: 003A5B75
GetWindowRect.USER32(00000000), ref: 003A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 003A5BD3
GetClientRect.USER32(?,?), ref: 003A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 003A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 003A5C2F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 670ce6d48b91943bbd9e30d1af8d342281826c5965698f163958a280b94d5e2c
Instruction ID: 5cb301e31d7d1fdf03e318a4c26afd119780b5173c3bd8d74567d0c6eded9837
Opcode Fuzzy Hash: 670ce6d48b91943bbd9e30d1af8d342281826c5965698f163958a280b94d5e2c
Instruction Fuzzy Hash: B8718031A00B05EFDB22DFA8CD85AAEBBF9FF48705F104519E142A75A0D774E944CB60

Function 003BFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 003BFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 003BFE32
LoadCursorW.USER32(00000000,00007F00), ref: 003BFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 003BFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 003BFE53
LoadCursorW.USER32(00000000,00007F01), ref: 003BFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 003BFE69
LoadCursorW.USER32(00000000,00007F88), ref: 003BFE74
LoadCursorW.USER32(00000000,00007F80), ref: 003BFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 003BFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 003BFE95
LoadCursorW.USER32(00000000,00007F85), ref: 003BFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 003BFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 003BFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 003BFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 003BFECC
GetCursorInfo.USER32(?), ref: 003BFEDC
GetLastError.KERNEL32 ref: 003BFF1E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 0db20f61088db81fcb2637d11c58e27d903ddf768aa6f689251e812b754f026b
Instruction ID: 8a15fef640c1ad1b7033b1bea6c32717bf22522a9d7e1096daaa4cebe4a65a68
Opcode Fuzzy Hash: 0db20f61088db81fcb2637d11c58e27d903ddf768aa6f689251e812b754f026b
Instruction Fuzzy Hash: 0B4184B0D093196EDB119FBA8C8586EBFE8FF04754B50412AE11CEB681DB78E901CF90

Function 003A30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003A318D
_wcslen.LIBCMT ref: 003A31F8

Strings

CLASSNN, xrefs: 003A31F3, 003A3204
NAME, xrefs: 003A3335, 003A3346
CLASS, xrefs: 003A3188, 003A31A5
INSTANCE, xrefs: 003A3453
REGEXPCLASS, xrefs: 003A3255, 003A3266
[@, xrefs: 003A339A
TEXT, xrefs: 003A347C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[@
API String ID: 176396367-2531399406
Opcode ID: f521ee5c5bfb53de8dadc55579310cfddaee4fbd55ae50693186d5abaec52a69
Instruction ID: 44a71d67961c124156649acf3ceaedde6f87d349534312def787c9b3ed88d6ba
Opcode Fuzzy Hash: f521ee5c5bfb53de8dadc55579310cfddaee4fbd55ae50693186d5abaec52a69
Instruction Fuzzy Hash: BEE1D531A005169BCB16DFB8C4517EEFBB4FF56710F55812AF456BB280DB30AE858B90

Function 003600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 003600C6

Part of subcall function 003600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0041070C,00000FA0,5097B69E,?,?,?,?,003823B3,000000FF), ref: 0036011C
Part of subcall function 003600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,003823B3,000000FF), ref: 00360127
Part of subcall function 003600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,003823B3,000000FF), ref: 00360138
Part of subcall function 003600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0036014E
Part of subcall function 003600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0036015C
Part of subcall function 003600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0036016A
Part of subcall function 003600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00360195
Part of subcall function 003600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 003601A0

___scrt_fastfail.LIBCMT ref: 003600E7

Part of subcall function 003600A3: __onexit.LIBCMT ref: 003600A9

Strings

WakeAllConditionVariable, xrefs: 00360162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00360122
InitializeConditionVariable, xrefs: 00360148
kernel32.dll, xrefs: 00360133
SleepConditionVariableCS, xrefs: 00360154

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 57fac0651484bf413b3968fe92646b444f7e05a32089d2184b298efb4b5ed529
Instruction ID: 3146723afaa7fbea55cda96adc8235de427eba3d6a6c121222a788bf5505efa1
Opcode Fuzzy Hash: 57fac0651484bf413b3968fe92646b444f7e05a32089d2184b298efb4b5ed529
Instruction Fuzzy Hash: 002129366513116FD7176BA4BC47FAB7398EB06B51F118137F802E62D5DBB49800CA94

Function 003B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,003DCC08), ref: 003B4527
_wcslen.LIBCMT ref: 003B453B
_wcslen.LIBCMT ref: 003B4599
_wcslen.LIBCMT ref: 003B45F4
_wcslen.LIBCMT ref: 003B463F
_wcslen.LIBCMT ref: 003B46A7

Part of subcall function 0035F9F2: _wcslen.LIBCMT ref: 0035F9FD

GetDriveTypeW.KERNEL32(?,00406BF0,00000061), ref: 003B4743

Strings

cdrom, xrefs: 003B458F, 003B4594
ramdisk, xrefs: 003B46F1
all, xrefs: 003B4531, 003B4536
network, xrefs: 003B469D, 003B46A2
unknown, xrefs: 003B4708
fixed, xrefs: 003B4635, 003B463A
removable, xrefs: 003B45EA, 003B45EF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: e097a28f5d44e771c1fa4fc9d473103e1531a269f22028e886db9e58f42986af
Instruction ID: bf8b9be86273d2e9185234daf7976814845d07adbbedc8f4c8012f22f254b998
Opcode Fuzzy Hash: e097a28f5d44e771c1fa4fc9d473103e1531a269f22028e886db9e58f42986af
Instruction Fuzzy Hash: C1B137316083029FC712DF28C891ABEB7E4BF96718F11491EF696CB692D730E844CB56

Function 003D911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00359BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00359BB2

DragQueryPoint.SHELL32(?,?), ref: 003D9147

Part of subcall function 003D7674: ClientToScreen.USER32(?,?), ref: 003D769A
Part of subcall function 003D7674: GetWindowRect.USER32(?,?), ref: 003D7710
Part of subcall function 003D7674: PtInRect.USER32(?,?,003D8B89), ref: 003D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 003D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 003D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 003D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 003D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 003D9277
DragFinish.SHELL32(?), ref: 003D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003D9371

Strings

p#A, xrefs: 003D92BB
@GUI_DRAGID, xrefs: 003D92E9
@GUI_DRAGFILE, xrefs: 003D9320
@GUI_DROPID, xrefs: 003D929E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#A
API String ID: 221274066-1905417563
Opcode ID: ce0b3db6cb4250a3e9cb13bb69ec04ca3d2734a6e15236ef8044fd3cadddf34e
Instruction ID: 345640eb7b74cc67e7379866579827881ae966cacdaa3be344b0d30ffac50136
Opcode Fuzzy Hash: ce0b3db6cb4250a3e9cb13bb69ec04ca3d2734a6e15236ef8044fd3cadddf34e
Instruction Fuzzy Hash: D4615E71118305AFC702DF54EC85EAFBBE8EF85750F00092EF5959B2A1DB70AA49CB52

Function 0034326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00411990), ref: 00382F8D
GetMenuItemCount.USER32(00411990), ref: 0038303D
GetCursorPos.USER32(?), ref: 00383081
SetForegroundWindow.USER32(00000000), ref: 0038308A
TrackPopupMenuEx.USER32(00411990,00000000,?,00000000,00000000,00000000), ref: 0038309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003830A9

Strings

0, xrefs: 0034327D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: cb68e6bbc427734b8f85dba6062293d900818537b0193f304c39d98db839639d
Instruction ID: 4beed7a9c179e412ee6410d0e3b8b86dcbf62490f08579a4f934976424bf28e1
Opcode Fuzzy Hash: cb68e6bbc427734b8f85dba6062293d900818537b0193f304c39d98db839639d
Instruction Fuzzy Hash: 69710770644306BEEB239F25DC49FAABFA9FF05324F204256F6256A1E1C7B1A910DB50

Function 003D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 003D6DEB

Part of subcall function 00346B57: _wcslen.LIBCMT ref: 00346B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003D6E94
DestroyWindow.USER32(?), ref: 003D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00340000,00000000), ref: 003D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003D6EFD
GetDesktopWindow.USER32 ref: 003D6F16
GetWindowRect.USER32(00000000), ref: 003D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003D6F4D

Part of subcall function 00359944: GetWindowLongW.USER32(?,000000EB), ref: 00359952

Strings

0, xrefs: 003D6D98
tooltips_class32, xrefs: 003D6E58, 003D6EDD

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 5eb20eeb9f6685fce12c727bcf588f11f86f295feecdaff61309e340200d1889
Instruction ID: b0cffecc0db6c7041de8b352fa80975a60bd86b0e92357acd20baeca63ed8259
Opcode Fuzzy Hash: 5eb20eeb9f6685fce12c727bcf588f11f86f295feecdaff61309e340200d1889
Instruction Fuzzy Hash: B17167B1114241AFDB22CF18EC55BAABBE9FB89304F04452EF9A987361C770E905CB16

Function 003BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 003BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 003BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 003BC5F0
InternetCloseHandle.WININET(00000000), ref: 003BC5FB

Strings

, xrefs: 003BC575

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: a936f39df43c5ad1cfe186f5a17d2ad6aa70312852857c11be3506dd31ed545f
Instruction ID: fe601bbcc3a8baf1fb95c9508a9449afea16031bcb38892916b46532d56e4ec1
Opcode Fuzzy Hash: a936f39df43c5ad1cfe186f5a17d2ad6aa70312852857c11be3506dd31ed545f
Instruction Fuzzy Hash: BF516FB0521209BFDB328F61D988AEB7BBCFF05748F00541AFA45D6910DB34EA44DB60

Function 003D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 003D8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003D85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003D85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003D85BA
GlobalLock.KERNEL32(00000000), ref: 003D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003D85D7
GlobalUnlock.KERNEL32(00000000), ref: 003D85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 003D85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,003DFC38,?), ref: 003D8611
GlobalFree.KERNEL32(00000000), ref: 003D8621
GetObjectW.GDI32(?,00000018,?), ref: 003D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 003D8671
DeleteObject.GDI32(?), ref: 003D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003D86AF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 42d095f1fbd2281ee8d585d7e6db3f00c1971ab0ef804c6279a6a3b83a18fd95
Instruction ID: 78548f67b407d003a8ffda6c81f6bf5a3fe965401d961fe17831dd694190ca2e
Opcode Fuzzy Hash: 42d095f1fbd2281ee8d585d7e6db3f00c1971ab0ef804c6279a6a3b83a18fd95
Instruction Fuzzy Hash: F7413A75611209AFDB129FA5EC88EAE7BBDFF89711F10455AF905E7260DB30AD01CB20

Function 003B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 003B1502
VariantCopy.OLEAUT32(?,?), ref: 003B150B
VariantClear.OLEAUT32(?), ref: 003B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 003B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 003B1657
VariantInit.OLEAUT32(?), ref: 003B1708
SysFreeString.OLEAUT32(?), ref: 003B178C
VariantClear.OLEAUT32(?), ref: 003B17D8
VariantClear.OLEAUT32(?), ref: 003B17E7
VariantInit.OLEAUT32(00000000), ref: 003B1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 003B1625
Default, xrefs: 003B16AF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 1b8e08e6044fb9263e1e9c4fb8129ba253bdd784af95da5f28344bb76e96a493
Instruction ID: 5593c7a218f2f4e86c9301311fb7efb9ca45043edbcf9efd883f26bae3cb3bdc
Opcode Fuzzy Hash: 1b8e08e6044fb9263e1e9c4fb8129ba253bdd784af95da5f28344bb76e96a493
Instruction Fuzzy Hash: 31D10232600105DBCB229F65E8A5BB9B7B9BF46704F908057FA06AF990DB30ED44DB91

Function 003CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Part of subcall function 003CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003CB6AE,?,?), ref: 003CC9B5
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CC9F1
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CCA68
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 003CB80A
RegCloseKey.ADVAPI32(?), ref: 003CB87E
RegCloseKey.ADVAPI32(?), ref: 003CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 003CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 003CB922
FreeLibrary.KERNEL32(00000000), ref: 003CB983
RegCloseKey.ADVAPI32(00000000), ref: 003CB994

Strings

RegDeleteKeyExW, xrefs: 003CB8FE
advapi32.dll, xrefs: 003CB8ED

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 6453f66876d6f5ece80862768461abb59743fe2b29675605786b798bf33e2d05
Instruction ID: 33a4f5b433143e370abf320e104c6f983f62633cbfce3fb36ac9492c99e01aea
Opcode Fuzzy Hash: 6453f66876d6f5ece80862768461abb59743fe2b29675605786b798bf33e2d05
Instruction Fuzzy Hash: F9C17A35215241AFD712DF24C496F2AFBE5BF84308F15859CE49A8F2A2CB35EC45CB92

Function 003C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 003C25E8
CreateCompatibleDC.GDI32(?), ref: 003C25F4
SelectObject.GDI32(00000000,?), ref: 003C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 003C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 003C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 003C26D0
SelectObject.GDI32(?,?), ref: 003C26D8
DeleteObject.GDI32(?), ref: 003C26E1
DeleteDC.GDI32(?), ref: 003C26E8
ReleaseDC.USER32(00000000,?), ref: 003C26F3

Strings

(, xrefs: 003C268D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 101e4bf94783a70a6440649716071360eec860cfdc7ac92d22743e5d7403e306
Instruction ID: e2e3fa97adab3e7c96acc51edfcaaffa61d57bd56186bb6f34161f872aa4b38a
Opcode Fuzzy Hash: 101e4bf94783a70a6440649716071360eec860cfdc7ac92d22743e5d7403e306
Instruction Fuzzy Hash: C861E175D1021AEFCB05CFA8D884EAEBBB9FF48310F24852AE955A7250D770AD51CF60

Function 0037DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0037DAA1

Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D659
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D66B
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D67D
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D68F
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D6A1
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D6B3
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D6C5
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D6D7
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D6E9
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D6FB
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D70D
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D71F
Part of subcall function 0037D63C: _free.LIBCMT ref: 0037D731

_free.LIBCMT ref: 0037DA96

Part of subcall function 003729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000), ref: 003729DE
Part of subcall function 003729C8: GetLastError.KERNEL32(00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000,00000000), ref: 003729F0

_free.LIBCMT ref: 0037DAB8
_free.LIBCMT ref: 0037DACD
_free.LIBCMT ref: 0037DAD8
_free.LIBCMT ref: 0037DAFA
_free.LIBCMT ref: 0037DB0D
_free.LIBCMT ref: 0037DB1B
_free.LIBCMT ref: 0037DB26
_free.LIBCMT ref: 0037DB5E
_free.LIBCMT ref: 0037DB65
_free.LIBCMT ref: 0037DB82
_free.LIBCMT ref: 0037DB9A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ab89f8259e8f2d389a1d62899778a093b5529bcddbb4675a81c7c49a2ba1612c
Instruction ID: 382551ffdb663e32fbbc7cc168c7e637101ff979fd8391dc0af136dbfd39f3f3
Opcode Fuzzy Hash: ab89f8259e8f2d389a1d62899778a093b5529bcddbb4675a81c7c49a2ba1612c
Instruction Fuzzy Hash: 0B314A316042059FEB33AA39E845B5BB7F9FF02310F16C429E54DDB195DB39AC908B64

Function 003A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003A369C
_wcslen.LIBCMT ref: 003A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003A3797
GetClassNameW.USER32(?,?,00000400), ref: 003A380C
GetDlgCtrlID.USER32(?), ref: 003A385D
GetWindowRect.USER32(?,?), ref: 003A3882
GetParent.USER32(?), ref: 003A38A0
ScreenToClient.USER32(00000000), ref: 003A38A7
GetClassNameW.USER32(?,?,00000100), ref: 003A3921
GetWindowTextW.USER32(?,?,00000400), ref: 003A395D

Strings

%s%u, xrefs: 003A3734

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b9fe040965e92ac47a76800380df2088e9a751fbe5634ac1cba5b91e188d069e
Instruction ID: 8c53c8bd4b19e760e4727ef4040c717ec12a3409bbc39982e43d982e26bbdcc2
Opcode Fuzzy Hash: b9fe040965e92ac47a76800380df2088e9a751fbe5634ac1cba5b91e188d069e
Instruction Fuzzy Hash: F091C171204606AFD71ADF24C885FEAF7A8FF45350F00862DF999D6190DB34EA49CB91

Function 003A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 003A4994
GetWindowTextW.USER32(?,?,00000400), ref: 003A49DA
_wcslen.LIBCMT ref: 003A49EB
CharUpperBuffW.USER32(?,00000000), ref: 003A49F7
_wcsstr.LIBVCRUNTIME ref: 003A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 003A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 003A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 003A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 003A4B20
GetWindowRect.USER32(?,?), ref: 003A4B8B

Strings

ThumbnailClass, xrefs: 003A4A6F, 003A4AF1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 23235efd9470e58d34cd107a9220c8fb63526df1c553ae1186133db849914add
Instruction ID: 4ea0d9d08ef1ec1dffce65bbbc2313ee9ebb49e2e887759b11737d925d5b8434
Opcode Fuzzy Hash: 23235efd9470e58d34cd107a9220c8fb63526df1c553ae1186133db849914add
Instruction Fuzzy Hash: 1291E1710082069FDB06CF14D981FAA77E8FFC6314F04846AFD859A196EB70ED45CBA1

Function 003D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00359BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00359BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003D8D5A
GetFocus.USER32 ref: 003D8D6A
GetDlgCtrlID.USER32(00000000), ref: 003D8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 003D8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003D8ECF
GetMenuItemCount.USER32(?), ref: 003D8EEC
GetMenuItemID.USER32(?,00000000), ref: 003D8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003D8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003D8FA1

Strings

0, xrefs: 003D8E9F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: fe1f4889889238c43eebb2fdbb5f2f787d63fa7860586d18f6beaf6d8cd6bb39
Instruction ID: 88bd72a6dc60e48c0ba2e455c34803dd98cfb4e72b1c8980023b2886aa16fe50
Opcode Fuzzy Hash: fe1f4889889238c43eebb2fdbb5f2f787d63fa7860586d18f6beaf6d8cd6bb39
Instruction Fuzzy Hash: D781AF725083019FD712CF24E884AABBBEEFB88754F15091AF9949B391DB30E904CB61

Function 003ADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 003ADC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003ADC46
_wcslen.LIBCMT ref: 003ADC50
_wcsstr.LIBVCRUNTIME ref: 003ADCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003ADCBC

Strings

04090000, xrefs: 003ADCF2
DefaultLangCodepage, xrefs: 003ADD1F
\VarFileInfo\Translation, xrefs: 003ADCB4
StringFileInfo\, xrefs: 003ADC8F
%u.%u.%u.%u, xrefs: 003ADD9A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 5df1583d5c24b2d184559f333b794295eda3865386705bc8652a50e6a1a853b7
Instruction ID: 54b9e93091f5bfbd9ac040627c21b78780e85904627b7b874e3edd98ba90e3cd
Opcode Fuzzy Hash: 5df1583d5c24b2d184559f333b794295eda3865386705bc8652a50e6a1a853b7
Instruction Fuzzy Hash: 10411232A402017AEB03B7749C47EFF77ACEF56710F10806AF901AA196EB749A0086A4

Function 003CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 003CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003CCD48

Part of subcall function 003CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 003CCCAA
Part of subcall function 003CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 003CCCBD
Part of subcall function 003CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003CCCCF
Part of subcall function 003CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 003CCD05
Part of subcall function 003CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 003CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 003CCCF3

Strings

RegDeleteKeyExW, xrefs: 003CCCC9
advapi32.dll, xrefs: 003CCCB8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 8d911ba9478a7af813cea99cbac0d4c35b9040d7acdbcd8f3e0dbd08c1d8c0e2
Instruction ID: 193942282d0389ad8e563f9319946f67592e61f6a4406b7cc4aa64867f9c1cb4
Opcode Fuzzy Hash: 8d911ba9478a7af813cea99cbac0d4c35b9040d7acdbcd8f3e0dbd08c1d8c0e2
Instruction Fuzzy Hash: A4318471921129BBDB229B50DC88EFFBB7CEF15740F015169E90AE2140DB349E45DBA0

Function 003B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003B3D40
_wcslen.LIBCMT ref: 003B3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 003B3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003B3DBE
RemoveDirectoryW.KERNEL32(?), ref: 003B3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003B3E55
CloseHandle.KERNEL32(00000000), ref: 003B3E60
CloseHandle.KERNEL32(00000000), ref: 003B3E6B

Strings

:, xrefs: 003B3D82
\??\%s, xrefs: 003B3D5B
\, xrefs: 003B3D77

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 42253dc73f6dac6cab827bdf3b0f9e87260be1ab15009fdd7e4be87273913cc3
Instruction ID: 2b04d3cd469676cd90561690691b06f25b611cdcc5e3cd08b96ae3eb5d0d7925
Opcode Fuzzy Hash: 42253dc73f6dac6cab827bdf3b0f9e87260be1ab15009fdd7e4be87273913cc3
Instruction Fuzzy Hash: B331D47595021AABDB229BA0DC48FEF37BCEF88704F1141BAF605D6060EB749744CB24

Function 003AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003AE6B4

Part of subcall function 0035E551: timeGetTime.WINMM(?,?,003AE6D4), ref: 0035E555

Sleep.KERNEL32(0000000A), ref: 003AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 003AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003AE727
SetActiveWindow.USER32 ref: 003AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 003AE773
Sleep.KERNEL32(000000FA), ref: 003AE77E
IsWindow.USER32 ref: 003AE78A
EndDialog.USER32(00000000), ref: 003AE79B

Strings

BUTTON, xrefs: 003AE719

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: bd65b34a60b67dc5b5068f51cb5bfbbef2285cfa47db8dd3b9d25930f91be503
Instruction ID: 486300457970e6aab22e58818e87f8849d98a7f30de8cbecb9d7d3aed7bd6c0a
Opcode Fuzzy Hash: bd65b34a60b67dc5b5068f51cb5bfbbef2285cfa47db8dd3b9d25930f91be503
Instruction Fuzzy Hash: 11216FB0220206AFEB035F60FD89B657B6DF796349F145436F911D25B1DBB2AC10CA28

Function 003AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003AEAA7

Strings

close PlayMe, xrefs: 003AEA6E, 003AEA9B
play PlayMe wait, xrefs: 003AEA91
status PlayMe mode, xrefs: 003AEA58
open , xrefs: 003AEA0C
play PlayMe, xrefs: 003AEAA2
alias PlayMe, xrefs: 003AEA36

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c4715b1d287a2182088b441aa64b1abe4eba0834848e9f83c0e83cabf39f010c
Instruction ID: 0934c1b866571409cdd61a1a63e94584b5382730ed1662e1dd3f78be79fd1f03
Opcode Fuzzy Hash: c4715b1d287a2182088b441aa64b1abe4eba0834848e9f83c0e83cabf39f010c
Instruction Fuzzy Hash: 6A117371A902597DE721A7A5DC4AFFF6ABCEBD2B00F11043A7802AB0D1EE701D15C5B0

Function 003A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003A5CE2
GetWindowRect.USER32(00000000,?), ref: 003A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 003A5D59
GetDlgItem.USER32(?,00000002), ref: 003A5D69
GetWindowRect.USER32(00000000,?), ref: 003A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 003A5DCF
GetDlgItem.USER32(?,000003E9), ref: 003A5DDD
GetWindowRect.USER32(00000000,?), ref: 003A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 003A5E31
GetDlgItem.USER32(?,000003EA), ref: 003A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 003A5E67

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 08926c8266a664389bcda962fe78c8a35ba8d569aa8353d6694dd3f426887881
Instruction ID: 86e8f78e4a7384e3106bbbbe331dda87efe91a6415aee3e8ec12abc3dd0d62aa
Opcode Fuzzy Hash: 08926c8266a664389bcda962fe78c8a35ba8d569aa8353d6694dd3f426887881
Instruction Fuzzy Hash: 06512DB1B11606AFDF19CF68DD89AAEBBB9FB49300F148129F515E6290D770DE00CB50

Function 00358BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00358F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00358BE8,?,00000000,?,?,?,?,00358BBA,00000000,?), ref: 00358FC5

DestroyWindow.USER32(?), ref: 00358C81
KillTimer.USER32(00000000,?,?,?,?,00358BBA,00000000,?), ref: 00358D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00396973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00358BBA,00000000,?), ref: 003969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00358BBA,00000000,?), ref: 003969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00358BBA,00000000), ref: 003969D4
DeleteObject.GDI32(00000000), ref: 003969E6

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4bb1710c39d9b5b466c1cc0889a78387d56f4f00bda0a8f8bb1003a7805f0cab
Instruction ID: 58cf913d78654e7e264679e7154ec9bcfa084e923c2051fe6f75d6d1fe56cec7
Opcode Fuzzy Hash: 4bb1710c39d9b5b466c1cc0889a78387d56f4f00bda0a8f8bb1003a7805f0cab
Instruction Fuzzy Hash: BC619D71523601DFCF239F24D949B69B7F5FB40312F159529E942AA970CB31AC84CF94

Function 00359838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00359944: GetWindowLongW.USER32(?,000000EB), ref: 00359952

GetSysColor.USER32(0000000F), ref: 00359862

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 2834a52222d63e187d544651d2c8126bf4ac58e330dd7540460b70cc22fdf004
Instruction ID: b97112706f0aff32f6cf331fb9a3ce78e96bcb482449d095d9a6387026614a0a
Opcode Fuzzy Hash: 2834a52222d63e187d544651d2c8126bf4ac58e330dd7540460b70cc22fdf004
Instruction Fuzzy Hash: 0541A031115611DFDF225F38AC88FB93BA9AB06332F165616F9A28B2F1D7319C46DB10

Function 00378D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.6, xrefs: 0037903A, 00378FD0, 00378FF2

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: .6
API String ID: 0-1713163095
Opcode ID: e8bd6839488a77d70fcbd00b1c350f4330fe01751d400bbeda377ed0e3a666e9
Instruction ID: 4c92c4a1e631a2c6951fc74c2e0eea320d4466705a225cc45a9651aaf332f97a
Opcode Fuzzy Hash: e8bd6839488a77d70fcbd00b1c350f4330fe01751d400bbeda377ed0e3a666e9
Instruction Fuzzy Hash: 78C1D774E042499FDB23DFA8D885BEDBBB4AF0A310F05C156E518AB392C7789941CF61

Function 003A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0038F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 003A9717
LoadStringW.USER32(00000000,?,0038F7F8,00000001), ref: 003A9720

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0038F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 003A9742
LoadStringW.USER32(00000000,?,0038F7F8,00000001), ref: 003A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 003A9866

Strings

Line %d (File "%s"):, xrefs: 003A978F
%s (%d) : ==> %s: %s %s, xrefs: 003A984A
^ ERROR, xrefs: 003A97FB
Line %d:, xrefs: 003A97A0
Error: , xrefs: 003A981D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 2b605bfea90f33e8a0e0aa2c2be1e41e48f69d419af1a80240f4e272dac37192
Instruction ID: 91aad9551fb64cad29ee63f2371974863f87d5bf7fcef57c1477e3fca9931706
Opcode Fuzzy Hash: 2b605bfea90f33e8a0e0aa2c2be1e41e48f69d419af1a80240f4e272dac37192
Instruction Fuzzy Hash: 97412F72900219AADB06EFE0DD86EEE77BCEF15340F500166B5057B092EB356F48CB61

Function 003A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00346B57: _wcslen.LIBCMT ref: 00346B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 003A0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 003A082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 003A083C

Strings

\IPC$, xrefs: 003A0784
SOFTWARE\Classes\, xrefs: 003A070E
\CLSID, xrefs: 003A0724

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 0a727d97f90dce2c2c6589bb24a8b24990b6db04648db1ff8238809c2b5fddc1
Instruction ID: 82e04da1204d27c4c45b83e73ec64684834a70a37f10a0c8fc36259fd8865237
Opcode Fuzzy Hash: 0a727d97f90dce2c2c6589bb24a8b24990b6db04648db1ff8238809c2b5fddc1
Instruction Fuzzy Hash: EA41F972C10229ABDF16EFA4DC95DEEB7B8FF04350F154166E905AB161EB34AE04CB90

Function 003C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003C3C5C
CoInitialize.OLE32(00000000), ref: 003C3C8A
CoUninitialize.OLE32 ref: 003C3C94
_wcslen.LIBCMT ref: 003C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 003C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 003C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 003C3F0E
CoGetObject.OLE32(?,00000000,003DFB98,?), ref: 003C3F2D
SetErrorMode.KERNEL32(00000000), ref: 003C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003C3FC4
VariantClear.OLEAUT32(?), ref: 003C3FD8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 547b775151929afabc5d2d2bea9209110085fe5c94b68aaef9cdd1a44a50063c
Instruction ID: d6998c7773e9c5f13c1cb597d5552e6b4dbad0c330e0a9ceeae23ca1d557a052
Opcode Fuzzy Hash: 547b775151929afabc5d2d2bea9209110085fe5c94b68aaef9cdd1a44a50063c
Instruction Fuzzy Hash: 53C1F2716082059FD702DF68C884E2AB7E9FF89744F10895DF98ADB251DB31ED05CB52

Function 003B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 003B7BA3
CoCreateInstance.OLE32(003DFD08,00000000,00000001,00406E6C,?), ref: 003B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003B7C74
CoTaskMemFree.OLE32(?,?), ref: 003B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 003B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003B7D7A
CoTaskMemFree.OLE32(00000000), ref: 003B7D81
CoTaskMemFree.OLE32(00000000), ref: 003B7DD6
CoUninitialize.OLE32 ref: 003B7DDC

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 39d628498a7501d215ca6eb111eb194ed32b2cec9727db2d06791e354dcbe795
Instruction ID: 187036f186cf09afcbf8a99636dfedb1bc00bc5e1d1a28e5cc3bb6b45efb8359
Opcode Fuzzy Hash: 39d628498a7501d215ca6eb111eb194ed32b2cec9727db2d06791e354dcbe795
Instruction Fuzzy Hash: A9C12975A04109AFCB15DFA4C884DAEBBF9FF48308B148499E91A9B761D730EE45CB90

Function 003D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003D5515
CharNextW.USER32(00000158), ref: 003D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003D55AC

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: d701b4fb207ddf05cadabc3f717d817a677a35b2d11ff334475318ff9f5580e4
Instruction ID: 77a60a9f89c260e9a39451a0841a2e007e4d769b246c3dd6e19c7a75030dc1e6
Opcode Fuzzy Hash: d701b4fb207ddf05cadabc3f717d817a677a35b2d11ff334475318ff9f5580e4
Instruction Fuzzy Hash: FB61C072904609EFDF128F65EC84DFE7BB9EB06321F148147F925AA390D7708A80DB61

Function 0039FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0039FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0039FB08
VariantInit.OLEAUT32(?), ref: 0039FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0039FB3A
VariantCopy.OLEAUT32(?,?), ref: 0039FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0039FBA1
VariantClear.OLEAUT32(?), ref: 0039FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0039FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0039FBCC
VariantClear.OLEAUT32(?), ref: 0039FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0039FBE9

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 78d99e4c2e7dc54c9e08c9d37b3ce8d46046c25f0d6c0045c0dd702a64b90164
Instruction ID: 98c1ba35927e4358700ce455fcae5cd025254733161eb59b014f8eb37cf8827e
Opcode Fuzzy Hash: 78d99e4c2e7dc54c9e08c9d37b3ce8d46046c25f0d6c0045c0dd702a64b90164
Instruction Fuzzy Hash: F5416035A1021A9FCF06DF69D8549EEBBB9FF08344F008069E905EB261CB30A945CF90

Function 003A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 003A9D22
GetKeyState.USER32(000000A0), ref: 003A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 003A9D57
GetKeyState.USER32(000000A1), ref: 003A9D6C
GetAsyncKeyState.USER32(00000011), ref: 003A9D84
GetKeyState.USER32(00000011), ref: 003A9D96
GetAsyncKeyState.USER32(00000012), ref: 003A9DAE
GetKeyState.USER32(00000012), ref: 003A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 003A9DD8
GetKeyState.USER32(0000005B), ref: 003A9DEA

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f29529fbd26a33115057a1ed4f0817d72968984ac658204353e8a6c31a820191
Instruction ID: 939372ca3e1bb70efcd0cc77b694eef50d6d072720b4055891c93fc70617827b
Opcode Fuzzy Hash: f29529fbd26a33115057a1ed4f0817d72968984ac658204353e8a6c31a820191
Instruction Fuzzy Hash: AC41D634504BCA6DFF33866498443B5BEA1EF13354F09805BDAC6665C2EBA499C8C7A2

Function 003C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003C05BC
inet_addr.WSOCK32(?), ref: 003C061C
gethostbyname.WSOCK32(?), ref: 003C0628
IcmpCreateFile.IPHLPAPI ref: 003C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 003C07B9
WSACleanup.WSOCK32 ref: 003C07BF

Strings

Ping, xrefs: 003C0676

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: a348368209b92a914439e67e3159bb8557cd1d60dff9b2237efc5497b5b9d46b
Instruction ID: 705045d67bced3a589654858556dae08125b3c017127bdfb382fcce111fb4026
Opcode Fuzzy Hash: a348368209b92a914439e67e3159bb8557cd1d60dff9b2237efc5497b5b9d46b
Instruction Fuzzy Hash: 87918935608281DFD72ADF15C889F1ABBE4AB44318F1585ADE469CF6A2C730ED45CF81

Function 003C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 003C8CF3

Part of subcall function 003A8E54: _wcslen.LIBCMT ref: 003A8E77

_wcslen.LIBCMT ref: 003C8D4E
_wcslen.LIBCMT ref: 003C8D9C
_wcslen.LIBCMT ref: 003C8DDC
_wcslen.LIBCMT ref: 003C8E6E

Strings

winapi, xrefs: 003C8D96, 003C8D9B
cdecl, xrefs: 003C8D48, 003C8D4D
stdcall, xrefs: 003C8DD6, 003C8DDB
none, xrefs: 003C8E65, 003C8E6A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: b2e4224ab00b1a3d37ecf650d96658027c2ad8cb18e30e96b5e8b09f96357f47
Instruction ID: 342ed79be90318dfa43a9a67966d2ffc220b6a2989eaa6a6659a8d2ac7bfbcbb
Opcode Fuzzy Hash: b2e4224ab00b1a3d37ecf650d96658027c2ad8cb18e30e96b5e8b09f96357f47
Instruction Fuzzy Hash: E3518131A001169BCB16DF7CC940ABEB7E5BF65724B21462EE426EB2C5DB35EE40C790

Function 003C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 003C3774
CoUninitialize.OLE32 ref: 003C377F
CoCreateInstance.OLE32(?,00000000,00000017,003DFB78,?), ref: 003C37D9
IIDFromString.OLE32(?,?), ref: 003C384C
VariantInit.OLEAUT32(?), ref: 003C38E4
VariantClear.OLEAUT32(?), ref: 003C3936

Strings

Failed to create object, xrefs: 003C37E4, 003C389A
NULL Pointer assignment, xrefs: 003C381E
Invalid parameter, xrefs: 003C3865

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: e9da4b83baed377cd4e2602f234c0b39fb53b6e2b57b0b35029ce55d86b1d2e6
Instruction ID: dc27e70d766fc7a71ae3122b2ddafd8afc9293a0fceb03990aa372a7cb7667dc
Opcode Fuzzy Hash: e9da4b83baed377cd4e2602f234c0b39fb53b6e2b57b0b35029ce55d86b1d2e6
Instruction Fuzzy Hash: D8616771608311AFD312DF54D888F6ABBE8EF49714F10885EF9859B291C770EE48CB92

Function 003D8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00359BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00359BB2

Part of subcall function 0035912D: GetCursorPos.USER32(?), ref: 00359141
Part of subcall function 0035912D: ScreenToClient.USER32(00000000,?), ref: 0035915E
Part of subcall function 0035912D: GetAsyncKeyState.USER32(00000001), ref: 00359183
Part of subcall function 0035912D: GetAsyncKeyState.USER32(00000002), ref: 0035919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 003D8B6B
ImageList_EndDrag.COMCTL32 ref: 003D8B71
ReleaseCapture.USER32 ref: 003D8B77
SetWindowTextW.USER32(?,00000000), ref: 003D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003D8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 003D8CFF

Strings

p#A, xrefs: 003D8C71
@GUI_DRAGFILE, xrefs: 003D8C9A
@GUI_DROPID, xrefs: 003D8C51

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#A
API String ID: 1924731296-2103205163
Opcode ID: cae19db1149cae8d3ffb0051dbe644e662bd9a0a9d80439b84ceadb473415108
Instruction ID: a281d57c2746b86a7b4df2af909f7d6c1289f80de51ea81188cfc7a43599642b
Opcode Fuzzy Hash: cae19db1149cae8d3ffb0051dbe644e662bd9a0a9d80439b84ceadb473415108
Instruction Fuzzy Hash: BE517C71115204AFD702DF14EC56FAA77E4FB88710F00062AF9569B2E1DB71AD44CB66

Function 003B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 003B33CF

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003B33F0

Strings

Line %d (File "%s"):, xrefs: 003B3443, 003B345C
Incorrect parameters to object property !, xrefs: 003B34AB
"%s" (%d) : ==> %s:%s%s, xrefs: 003B3504
^ ERROR , xrefs: 003B349E
"%s" (%d) : ==> %s:, xrefs: 003B3522
Error: , xrefs: 003B34D1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 0560e9973409eb3b38848cfb40c2c57c26872b3b0d61f54dc43e208e62804ba1
Instruction ID: 14341f86f84cf922748a0bd93053e13cf22826a12740b7f0d2bab5389ee774c1
Opcode Fuzzy Hash: 0560e9973409eb3b38848cfb40c2c57c26872b3b0d61f54dc43e208e62804ba1
Instruction Fuzzy Hash: 53519332940219AADF16EBA0DD46EEEB3B8EF05340F104166F5057B0A2DB357F58CB61

Function 003AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003AB5FC
_wcslen.LIBCMT ref: 003AB608
_wcslen.LIBCMT ref: 003AB64D
_wcslen.LIBCMT ref: 003AB68C
_wcslen.LIBCMT ref: 003AB6C7

Strings

APPEND, xrefs: 003AB6C1, 003AB6C6
REMOVE, xrefs: 003AB602, 003AB607
EXISTS, xrefs: 003AB686, 003AB68B
KEYS, xrefs: 003AB647, 003AB64C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 9c6da81f8903f2faf366bd73d3312117c84c7453e2377a57ea4f3c16f775a601
Instruction ID: 5bbae24284285b8c0aa6aadb0b0670a97dcfa014f17671d86ebbe896e163bf42
Opcode Fuzzy Hash: 9c6da81f8903f2faf366bd73d3312117c84c7453e2377a57ea4f3c16f775a601
Instruction Fuzzy Hash: B741E932A000279BCB116F7DC8905BEF7A5FF62754B26412AE461DB296E735CD81C790

Function 003B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003B5416
GetLastError.KERNEL32 ref: 003B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 003B54A7

Strings

INVALID, xrefs: 003B5459
NOTREADY, xrefs: 003B544B
UNKNOWN, xrefs: 003B5444
READONLY, xrefs: 003B5452
READY, xrefs: 003B5460, 003B5468

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5024b3037a0cdf19938b00c02697b931188457c26b47f8972aa25078b5086290
Instruction ID: fd929c9dae3be1b7e44e84b19fb775dbaf4c9da0372c495824ac6f1d10f471c0
Opcode Fuzzy Hash: 5024b3037a0cdf19938b00c02697b931188457c26b47f8972aa25078b5086290
Instruction Fuzzy Hash: 7931D235A002059FD712DF69C484BEA7BF8EF45309F158066E602DF692DB71ED86CB90

Function 003D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 003D3C79
SetMenu.USER32(?,00000000), ref: 003D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003D3D10
IsMenu.USER32(?), ref: 003D3D24
CreatePopupMenu.USER32 ref: 003D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003D3D5B
DrawMenuBar.USER32 ref: 003D3D63

Strings

F, xrefs: 003D3D4E
0, xrefs: 003D3C54

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a40d1fe6edf9e221f328d64eb94ca0db3b002545d79c55e05028dee7d058c48f
Instruction ID: e04a5fa0a239aa41004f6236934ce47591a4aff20539bfe0665f48b2255fb92e
Opcode Fuzzy Hash: a40d1fe6edf9e221f328d64eb94ca0db3b002545d79c55e05028dee7d058c48f
Instruction Fuzzy Hash: 91416DB5A1120AAFDB15CF64E844ADA77BAFF49350F15002AF94697360D730AE10CF55

Function 003D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 003D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 003D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 003D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 003D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 003D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 003D3C13

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: f8d36e0cebab01fe6a5735167b3ac2f2dde81ba28bf91dad8347c2f835071580
Instruction ID: 911e39371470dc5c1bf84606e5e7f7f9a27a64745350b1411626d3027d986453
Opcode Fuzzy Hash: f8d36e0cebab01fe6a5735167b3ac2f2dde81ba28bf91dad8347c2f835071580
Instruction Fuzzy Hash: 62617C75900248AFDB11DFA8DC81EEE77B8EB09700F10419AFA15AB3A1D774AE45DB50

Function 003AB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003AB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,003AA1E1,?,00000001), ref: 003AB165
GetWindowThreadProcessId.USER32(00000000), ref: 003AB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003AA1E1,?,00000001), ref: 003AB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 003AB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003AA1E1,?,00000001), ref: 003AB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003AA1E1,?,00000001), ref: 003AB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003AA1E1,?,00000001), ref: 003AB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003AA1E1,?,00000001), ref: 003AB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003AA1E1,?,00000001), ref: 003AB21D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 306648011ed36d5eef23d8feff2f347093acb9731a6b4abbb4cd672fd5a6c6e2
Instruction ID: 76f4a9bb31010f806f8aa0283cb418a7c1a22d1b940da6b49544ea0efe28f3b9
Opcode Fuzzy Hash: 306648011ed36d5eef23d8feff2f347093acb9731a6b4abbb4cd672fd5a6c6e2
Instruction Fuzzy Hash: CB31CE71520204BFDB129F24EC48BADBBADFB56356F168426FA00D6191D7B4DE00CF64

Function 00372C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00372C94

Part of subcall function 003729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000), ref: 003729DE
Part of subcall function 003729C8: GetLastError.KERNEL32(00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000,00000000), ref: 003729F0

_free.LIBCMT ref: 00372CA0
_free.LIBCMT ref: 00372CAB
_free.LIBCMT ref: 00372CB6
_free.LIBCMT ref: 00372CC1
_free.LIBCMT ref: 00372CCC
_free.LIBCMT ref: 00372CD7
_free.LIBCMT ref: 00372CE2
_free.LIBCMT ref: 00372CED
_free.LIBCMT ref: 00372CFB

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 74e5f4975fb695d6ef6d089fc4ccb3e3c121d4fca09e0d81fff98b407f725fdf
Instruction ID: 04d9c68e3bbab72f20ef5ee1c9ad4edc78b69fced551fa15b0179cf7e8ccca81
Opcode Fuzzy Hash: 74e5f4975fb695d6ef6d089fc4ccb3e3c121d4fca09e0d81fff98b407f725fdf
Instruction Fuzzy Hash: FC119676100108AFCB13EF65D842CDE7BA5FF06350F4585A5FA4C5F222D735EAA09B90

Function 003B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 003B7FC1
GetFileAttributesW.KERNEL32(?), ref: 003B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 003B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 003B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 003B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003B80B0

Strings

*.*, xrefs: 003B8066

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: b854f1e4abd5fb70987b8ce07f4b70b23fcd3fe39c52f4b1ad39f6bff479cb18
Instruction ID: 754d42074f1a9f71d16e228a2a14f793b8d1c5d3967d40f21eba1be1a9939570
Opcode Fuzzy Hash: b854f1e4abd5fb70987b8ce07f4b70b23fcd3fe39c52f4b1ad39f6bff479cb18
Instruction Fuzzy Hash: BD81BF715182059BCB22EF14C440AEAB3E8FFC8358F154C5AFA85CBA50EB34ED49CB52

Function 00345BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00345C7A

Part of subcall function 00345D0A: GetClientRect.USER32(?,?), ref: 00345D30
Part of subcall function 00345D0A: GetWindowRect.USER32(?,?), ref: 00345D71
Part of subcall function 00345D0A: ScreenToClient.USER32(?,?), ref: 00345D99

GetDC.USER32 ref: 003846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00384708
SelectObject.GDI32(00000000,00000000), ref: 00384716
SelectObject.GDI32(00000000,00000000), ref: 0038472B
ReleaseDC.USER32(?,00000000), ref: 00384733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003847C4

Strings

U, xrefs: 00384693

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: cf3332dfa01989dc6a540fb25ba05e0b7bd4f4dbc1bb3414d8be9fd2aa57cbb8
Instruction ID: 32d69d7e6dfd0cd1b6f4ab3567b15efab51daa8db96172565a19b80b6a4f1796
Opcode Fuzzy Hash: cf3332dfa01989dc6a540fb25ba05e0b7bd4f4dbc1bb3414d8be9fd2aa57cbb8
Instruction Fuzzy Hash: 7E71D031800306DFCF23AF64C984ABA7BB5FF4A310F1942AAF9655A666D3319C41DF50

Function 003B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003B35E4

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

LoadStringW.USER32(00412390,?,00000FFF,?), ref: 003B360A

Strings

Line %d (File "%s"):, xrefs: 003B366B
^ ERROR, xrefs: 003B36C9
"%s" (%d) : ==> %s:%s%s, xrefs: 003B3724
"%s" (%d) : ==> %s:, xrefs: 003B3742
Error: , xrefs: 003B36EF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 51b11649b4abae28f7131294f007f67e2a14133cb4943b76232fde781ca54a94
Instruction ID: 2127967a987b2a837d856e2f9f0fdf14b77c00963444aa996632ab5e1576e20a
Opcode Fuzzy Hash: 51b11649b4abae28f7131294f007f67e2a14133cb4943b76232fde781ca54a94
Instruction Fuzzy Hash: D051A372940219BADF16EFA0DC42EEEBB78EF04300F144166F6057A0A1DB302B99DF65

Function 003BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003BC2CA
GetLastError.KERNEL32 ref: 003BC322
SetEvent.KERNEL32(?), ref: 003BC336
InternetCloseHandle.WININET(00000000), ref: 003BC341

Strings

, xrefs: 003BC2BB

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 3e83c00b709b743cac81ccda02dcdc70e15dfe71409dccbc365032e1d196825f
Instruction ID: 4b466f2a5275eb17c46f4b9797ef9d42ac64f842bdc80f85c2bbb6dc9c01e818
Opcode Fuzzy Hash: 3e83c00b709b743cac81ccda02dcdc70e15dfe71409dccbc365032e1d196825f
Instruction Fuzzy Hash: 85318FB5620204AFDB339F649884AEB7BFCEB49748F54951EF58AD6A00DB34DD04CB60

Function 003A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00383AAF,?,?,Bad directive syntax error,003DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 003A98BC
LoadStringW.USER32(00000000,?,00383AAF,?), ref: 003A98C3

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003A9987

Strings

Line %d (File "%s"):, xrefs: 003A992D
Error: , xrefs: 003A9955
Line %d:, xrefs: 003A9912
., xrefs: 003A996D
%s (%d) : ==> %s.: %s %s, xrefs: 003A98F1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 8293758a0f9c033e2055ba0613c8b1c795c0bca3dab009b6158ecccb1f6ebef7
Instruction ID: 72cc6104095a17cfed588a8bb2334bc22df5a6dfc095482c511996ab894348fc
Opcode Fuzzy Hash: 8293758a0f9c033e2055ba0613c8b1c795c0bca3dab009b6158ecccb1f6ebef7
Instruction Fuzzy Hash: FD216F3295021AABDF16AF90CC0AFEE7779FF18300F04446AF5157A0A2DB35A628DB50

Function 003A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 003A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003A214D

Strings

details, xrefs: 003A20FB
SHELLDLL_DefView, xrefs: 003A20CC
list, xrefs: 003A212F
smallicons, xrefs: 003A2115
largeicons, xrefs: 003A20E1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: f008d75805d910b158eea22f22280a0fec0567a646e41dc1d553e0b0e46753df
Instruction ID: 0cbfd4fc0c91786c7bae8d59626ccd0e6a7ca8be01ae629fecd14c6a8c7f6e76
Opcode Fuzzy Hash: f008d75805d910b158eea22f22280a0fec0567a646e41dc1d553e0b0e46753df
Instruction Fuzzy Hash: 54113A76684307B9FA032224EC06DA7379CDF16324F204027F704B80D1EE75B8115A18

Function 0037CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0037CEB7
_free.LIBCMT ref: 0037CF22
_free.LIBCMT ref: 0037CF48
_free.LIBCMT ref: 0037CF71
_free.LIBCMT ref: 0037CFA9
_free.LIBCMT ref: 0037CFDA
_free.LIBCMT ref: 0037D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0037D09C
_free.LIBCMT ref: 0037D0B5

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 646a323dc1fda26d51a4e20ad882445b40d830888944a1a8940b241cf5241927
Instruction ID: f5d85f9d3b37c4a003bfa3f07d57af56057683fbf33724d0ba7e4ee2aa50eac6
Opcode Fuzzy Hash: 646a323dc1fda26d51a4e20ad882445b40d830888944a1a8940b241cf5241927
Instruction Fuzzy Hash: C2610671914301AFDB33AFB4A891AAE7BE5AF06320F05C16EF94CAB281D7399D41C750

Function 003D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 003D5186
ShowWindow.USER32(?,00000000), ref: 003D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 003D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 003D51D1

Part of subcall function 003D6FBA: DeleteObject.GDI32(00000000), ref: 003D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 003D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 003D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 003D5296

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5f991fc5aea1c1335a6e564976de5cb02aa014c6ef4f2b47a4702879e6d7312e
Instruction ID: 0b94da15a7dd1f8b97dca855d9f8f9c04fc3b1a29ee787b358aef8f0917d0419
Opcode Fuzzy Hash: 5f991fc5aea1c1335a6e564976de5cb02aa014c6ef4f2b47a4702879e6d7312e
Instruction Fuzzy Hash: C751D332A51A09FEEF229F24EC46BD83B75FB05361F144413FA259A3E0C375A988DB40

Function 00358B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00396890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 003968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 003968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00358874,00000000,00000000,00000000,000000FF,00000000), ref: 00396901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0039691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00358874,00000000,00000000,00000000,000000FF,00000000), ref: 0039692D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: de9796ab8ae4d477df3fb1b23ed0d7265e243506e60a3b3c0f22e9ee56661262
Instruction ID: b98f946a0d326b092a1f202634666880337e053b6df141f33cf830d6c9f51610
Opcode Fuzzy Hash: de9796ab8ae4d477df3fb1b23ed0d7265e243506e60a3b3c0f22e9ee56661262
Instruction Fuzzy Hash: 40519CB0610205EFDF22CF25DC52FAA7BB9FB48361F104519F952A72A0DB70E950DB40

Function 003BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003BC182
GetLastError.KERNEL32 ref: 003BC195
SetEvent.KERNEL32(?), ref: 003BC1A9

Part of subcall function 003BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003BC272
Part of subcall function 003BC253: GetLastError.KERNEL32 ref: 003BC322
Part of subcall function 003BC253: SetEvent.KERNEL32(?), ref: 003BC336
Part of subcall function 003BC253: InternetCloseHandle.WININET(00000000), ref: 003BC341

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 24c4641d19329ea7ed9140e5ebccb6c038affc53678e88c1f4f59abfeac94ec5
Instruction ID: 40e9a5ab0bacaa2966cfe55da5195c0734e2b6fda519b196f45989c1bb840022
Opcode Fuzzy Hash: 24c4641d19329ea7ed9140e5ebccb6c038affc53678e88c1f4f59abfeac94ec5
Instruction Fuzzy Hash: 8B31A271621605AFDB329FA5DC04AA6BBFDFF54304B04681EFA56CAA10C730E910DBA0

Function 003A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003A3A57
Part of subcall function 003A3A3D: GetCurrentThreadId.KERNEL32 ref: 003A3A5E
Part of subcall function 003A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003A25B3), ref: 003A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 003A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 003A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 003A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 003A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 003A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 003A2627

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: ca4de7d6f49de8611c7eb9f997028549f6d7e621ff19612f7f8c1f2091d42bd3
Instruction ID: 9be8bea3e380ab3a6b46b34aa94a15a01a96ec766be0a6240a238cd9df82071e
Opcode Fuzzy Hash: ca4de7d6f49de8611c7eb9f997028549f6d7e621ff19612f7f8c1f2091d42bd3
Instruction Fuzzy Hash: 2001D8307A0320BBFB1167689C8AF597F5DDB4EB11F101002F354AF0D1C9E15444CA6A

Function 003A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,003A1449,?,?,00000000), ref: 003A180C
HeapAlloc.KERNEL32(00000000,?,003A1449,?,?,00000000), ref: 003A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003A1449,?,?,00000000), ref: 003A1828
GetCurrentProcess.KERNEL32(?,00000000,?,003A1449,?,?,00000000), ref: 003A1830
DuplicateHandle.KERNEL32(00000000,?,003A1449,?,?,00000000), ref: 003A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,003A1449,?,?,00000000), ref: 003A1843
GetCurrentProcess.KERNEL32(003A1449,00000000,?,003A1449,?,?,00000000), ref: 003A184B
DuplicateHandle.KERNEL32(00000000,?,003A1449,?,?,00000000), ref: 003A184E
CreateThread.KERNEL32(00000000,00000000,003A1874,00000000,00000000,00000000), ref: 003A1868

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: d7276f4e6be1111c9bdde344676588fa9c79385cf6c64a3bf89c21cc6bd7d34d
Instruction ID: 49c2b8757f36ebd2b97a1701dd6ed312907eaa979dbffe140ba6737827ff95d8
Opcode Fuzzy Hash: d7276f4e6be1111c9bdde344676588fa9c79385cf6c64a3bf89c21cc6bd7d34d
Instruction Fuzzy Hash: 3D01CDB52A1319BFE711AFB5EC4DF6B3BACEB89B11F005411FA05DB1A1CA749800CB20

Function 00373E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00373F0B
__alldvrm.LIBCMT ref: 0037410C
__alldvrm.LIBCMT ref: 0037412E

Strings

}}6, xrefs: 003740CD
}}6, xrefs: 00373E8A
}}6, xrefs: 00373E96, 00373EF1, 00373F0A, 00374090

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}6$}}6$}}6
API String ID: 1036877536-1336002142
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 699ded05fe2ec5fdd819a02cb54e9f65d18968fedd10ad2d4f700d6bf4590666
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 66A13771E003869FD733DE18C8917AAFBE8EF65350F1581ADE5999B241C33CA981C751

Function 003CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 003AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 003AD501
Part of subcall function 003AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 003AD50F
Part of subcall function 003AD4DC: CloseHandle.KERNELBASE(00000000), ref: 003AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 003CA16D
GetLastError.KERNEL32 ref: 003CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 003CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 003CA268
GetLastError.KERNEL32(00000000), ref: 003CA273
CloseHandle.KERNEL32(00000000), ref: 003CA2C4

Strings

SeDebugPrivilege, xrefs: 003CA18F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 0d75f9ad92b0930dfd2c17a8a7e841c90a1f28a2026a977927507307de3f040e
Instruction ID: 86f6019ae2180da0ffc993a02f53be84c56478f7b5768ccc0e60a82067c772ec
Opcode Fuzzy Hash: 0d75f9ad92b0930dfd2c17a8a7e841c90a1f28a2026a977927507307de3f040e
Instruction Fuzzy Hash: 9061BC302196429FD322DF18C494F16BBE5AF44318F19848CE4668FBA3C776EC49CB82

Function 003D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 003D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003D3954
_wcslen.LIBCMT ref: 003D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 003D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003D39F4

Strings

SysListView32, xrefs: 003D38F7

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: bcc76a5f41e2d9a8a8627856864a0aa2375a37be64758308d5cc585b78c6d486
Instruction ID: 359245bc7eb282acce5bdca0ecbd87f40fce6983391c5d806915b739a297da1f
Opcode Fuzzy Hash: bcc76a5f41e2d9a8a8627856864a0aa2375a37be64758308d5cc585b78c6d486
Instruction Fuzzy Hash: 2E41C272A00219ABEF229F64DC45BEA7BA9EF08350F110527F958E7281D771DE84CB90

Function 003ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003ABCFD
IsMenu.USER32(00000000), ref: 003ABD1D
CreatePopupMenu.USER32 ref: 003ABD53
GetMenuItemCount.USER32(016348B0), ref: 003ABDA4
InsertMenuItemW.USER32(016348B0,?,00000001,00000030), ref: 003ABDCC

Strings

0, xrefs: 003ABCA8
2, xrefs: 003ABD37

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 2fb9e5d07aed350a979afb0c92f292c6a6ef096f55303ecf43660d2691a56616
Instruction ID: 2e35a81ddc27244aee177928cbf246b24080c485535b08da5b695a9456115a74
Opcode Fuzzy Hash: 2fb9e5d07aed350a979afb0c92f292c6a6ef096f55303ecf43660d2691a56616
Instruction Fuzzy Hash: F051AD70A002459BDF12CFB9D888BAEFBF9FF47314F14825AE401AB292D7709944CB61

Function 00362D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00362D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00362D53
_ValidateLocalCookies.LIBCMT ref: 00362DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00362E0C
_ValidateLocalCookies.LIBCMT ref: 00362E61

Strings

csm, xrefs: 00362DF6
&H6, xrefs: 00362DFE, 00362E07, 00362E18

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &H6$csm
API String ID: 1170836740-834592613
Opcode ID: 4ed2af78d02722541f54e43441e5328fa894939baa766714e5ed12595a49cf91
Instruction ID: ac8b97587b2ede492782c2dbdf1f6d5e07b4261b49983c6cec24d15311a00748
Opcode Fuzzy Hash: 4ed2af78d02722541f54e43441e5328fa894939baa766714e5ed12595a49cf91
Instruction Fuzzy Hash: 6D41C434A00609EBCF12DF68C885ADFBBB5BF45324F16C165E8246B396D7719A05CBD0

Function 003AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003AC913

Strings

blank, xrefs: 003AC895
info, xrefs: 003AC8B4
question, xrefs: 003AC8CC
warning, xrefs: 003AC8FC
stop, xrefs: 003AC8E4

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1f865fcfd700ea37f5394fb4f51591b632dddb332e71351ec6d401a05d3847bc
Instruction ID: 35b5347dfaf98c6f1fc0f5d5531d7b96e14db8f547cf24c4e29d5ac534170bd4
Opcode Fuzzy Hash: 1f865fcfd700ea37f5394fb4f51591b632dddb332e71351ec6d401a05d3847bc
Instruction Fuzzy Hash: 00112B35AA9306BAE7035B54DC82DAB27DCDF16314B21503FF500AA2C2D7B85D00926D

Function 003ADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003ADE42
gethostname.WSOCK32(?,00000100), ref: 003ADE5C
gethostbyname.WSOCK32(?), ref: 003ADE69
inet_ntoa.WSOCK32(?), ref: 003ADEAB
_strcat.LIBCMT ref: 003ADEB9
WSACleanup.WSOCK32 ref: 003ADEDE

Strings

0.0.0.0, xrefs: 003ADE87

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 8ae808d8682abe3a37b65b3dd5b382fa377d9dc046dcd2c2cfd17e9ed3ba68fd
Instruction ID: e74e2e408c7ea60c8876469b411de0631ca2b9f627d590ccd4dcc4585deaed1c
Opcode Fuzzy Hash: 8ae808d8682abe3a37b65b3dd5b382fa377d9dc046dcd2c2cfd17e9ed3ba68fd
Instruction Fuzzy Hash: 64112931914115AFCB26BB70EC4AEEF77ACDF12711F01026AF556AE491EF718A81CA60

Function 003AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003AED2A
_wcslen.LIBCMT ref: 003AED3B
_wcslen.LIBCMT ref: 003AED79
_wcslen.LIBCMT ref: 003AEDAF
_wcslen.LIBCMT ref: 003AEDDF
_wcslen.LIBCMT ref: 003AEDEF
_wcslen.LIBCMT ref: 003AEE2B
_wcslen.LIBCMT ref: 003AEE5A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 0487f025143bc78773fc3ac9dd0cb205f53db8124c551f5ae8d43997480abb7d
Instruction ID: 94d1e69c1b494d37fd6c57c7d5a2d78740fdb919c1c9e14ea10112f5e23947c4
Opcode Fuzzy Hash: 0487f025143bc78773fc3ac9dd0cb205f53db8124c551f5ae8d43997480abb7d
Instruction Fuzzy Hash: 3541B065D1021876DB12EBF4888A9CFB7A8EF46310F50C862E518E7126FB34E255C3E6

Function 0035F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0039682C,00000004,00000000,00000000), ref: 0035F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0039682C,00000004,00000000,00000000), ref: 0039F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0039682C,00000004,00000000,00000000), ref: 0039F454

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 0fca10d845d739e6383f2cb04a5f83b088d1a7d98b5370bae0f5947d3e2adb5a
Instruction ID: f948760d8ccb80b47bc03e882569be7d84232894d636cf5f11b8ffb3436a5904
Opcode Fuzzy Hash: 0fca10d845d739e6383f2cb04a5f83b088d1a7d98b5370bae0f5947d3e2adb5a
Instruction Fuzzy Hash: 8C415E31214E80BECB379B3DD888F6A7B99AF46316F15403DE84796970C732A888CB51

Function 003D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003D2D1B
GetDC.USER32(00000000), ref: 003D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 003D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 003D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003D2DE1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: fd673b63c380fc11ad86dae2489b7507b4a90e4660443eb4cda0c5d54c923e08
Instruction ID: 787c321258883b8d80d1463c2bc5d110160d953e3d0b48950a8ae1127e5ba6e7
Opcode Fuzzy Hash: fd673b63c380fc11ad86dae2489b7507b4a90e4660443eb4cda0c5d54c923e08
Instruction Fuzzy Hash: 70318072222214BFEB124F50EC89FEB3FADEF19715F084056FE089A291D6759C50C7A4

Function 003A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 003A5637
_memcmp.LIBVCRUNTIME ref: 003A5659
_memcmp.LIBVCRUNTIME ref: 003A5671
_memcmp.LIBVCRUNTIME ref: 003A5684
_memcmp.LIBVCRUNTIME ref: 003A569E
_memcmp.LIBVCRUNTIME ref: 003A56B1
_memcmp.LIBVCRUNTIME ref: 003A56C9
_memcmp.LIBVCRUNTIME ref: 003A56E4

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d3a6154c1ebb8ab1a1e0930b7f3df44b14dcf59fe44217aafd088d7bf7c43f47
Instruction ID: e089fd36e07facd006f9a67a778785ad9f321665ff44a0b3a7f364b61d593151
Opcode Fuzzy Hash: d3a6154c1ebb8ab1a1e0930b7f3df44b14dcf59fe44217aafd088d7bf7c43f47
Instruction Fuzzy Hash: CC21C666641A09BBD21B56209EC2FFA335CEF22385F588021FD169FB95F721ED2081A5

Function 003C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 003C5007
NULL Pointer assignment, xrefs: 003C502E, 003C5383

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 12e19275b1315baea382330d20fa478de62a893d3beb47fa7aee92e0163070a1
Instruction ID: 886c1f8b13b457c6130fc7aa744ed5ba161c9f71625bd23c0534c3a12db7f2d0
Opcode Fuzzy Hash: 12e19275b1315baea382330d20fa478de62a893d3beb47fa7aee92e0163070a1
Instruction Fuzzy Hash: 99D1AC75A0060A9FDF11CFA8C880FAEB7B5BB48344F15856DE915EB281E770ED81CB90

Function 00381522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,003817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 003815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00381651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,003817FB,?,003817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,003817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 003816FB

Part of subcall function 00373820: RtlAllocateHeap.NTDLL(00000000,?,00411444,?,0035FDF5,?,?,0034A976,00000010,00411440,003413FC,?,003413C6,?,00341129), ref: 00373852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,003817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00381777
__freea.LIBCMT ref: 003817A2
__freea.LIBCMT ref: 003817AE

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 78b8e99361463c050b0adc90be7e377c54697bcc03216a2b3a7ee65662507d30
Instruction ID: 5ee18da78a223c7781ecf8134feffc7751c74bee733826aa84af04eb874547eb
Opcode Fuzzy Hash: 78b8e99361463c050b0adc90be7e377c54697bcc03216a2b3a7ee65662507d30
Instruction Fuzzy Hash: 6A91C572E103169ADF22AE74CC81AEE7BBDAF49310F194699F805E7141D735CD46CB60

Function 003C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003C4648
VariantInit.OLEAUT32(?), ref: 003C4749
VariantClear.OLEAUT32(?), ref: 003C4753
VariantClear.OLEAUT32(?), ref: 003C47B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 003C472C
Null Object assignment in FOR..IN loop, xrefs: 003C45D8, 003C4706, 003C47BE

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5d9d17167fe6f1c354ee2e44527f84652aa74a07383b4f2d2717043f54f8b231
Instruction ID: 48c6cbb54dc80a603b891ecbfb2bad5d9a92f06e7e20ae0360590bf21a5934f2
Opcode Fuzzy Hash: 5d9d17167fe6f1c354ee2e44527f84652aa74a07383b4f2d2717043f54f8b231
Instruction Fuzzy Hash: 2A91AE71A00219ABDF22CFA4C894FAEBBB8EF46714F10855EF515EB280D7709D45CBA0

Function 003B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 003B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 003B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 003B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 003B1430

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 432978746cf25585ebb30fcb2daad8583ad4d32813de7a154888038def690a32
Instruction ID: 6746600c9dd97550ff4aaf0d7806fca09d968ded89527c92c83879dc6b6322c7
Opcode Fuzzy Hash: 432978746cf25585ebb30fcb2daad8583ad4d32813de7a154888038def690a32
Instruction Fuzzy Hash: 59911471A102099FDB02DF95C8A4BFEB7B9FF45319F114429EA00EFA91D774A941CB90

Function 0035948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 5afda1ef2afa12eaf23d8a8ffc5e37a3902cfb7d5f0e6b4eb4513a6a2ee0d767
Instruction ID: 368b0b03c29bfb2166220ae3a971ac1604658effd884542661211c83cebe9773
Opcode Fuzzy Hash: 5afda1ef2afa12eaf23d8a8ffc5e37a3902cfb7d5f0e6b4eb4513a6a2ee0d767
Instruction Fuzzy Hash: 84912771900219EFCB12CFA9CC84AEEBBB8FF49320F144556E915B7261D374A955CB60

Function 003C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003C396B
CharUpperBuffW.USER32(?,?), ref: 003C3A7A
_wcslen.LIBCMT ref: 003C3A8A
VariantClear.OLEAUT32(?), ref: 003C3C1F

Part of subcall function 003B0CDF: VariantInit.OLEAUT32(00000000), ref: 003B0D1F
Part of subcall function 003B0CDF: VariantCopy.OLEAUT32(?,?), ref: 003B0D28
Part of subcall function 003B0CDF: VariantClear.OLEAUT32(?), ref: 003B0D34

Strings

Incorrect Parameter format, xrefs: 003C39A6, 003C3BA1
AUTOIT.ERROR, xrefs: 003C3A80, 003C3A85

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 9edf0b67757a5653144ea4b88329861579680baa95beb3112be26b7fab486383
Instruction ID: a9cdfb32550c3f87faf72c16f5d4d607fe4a158ac3c1be8875438083f295f1e2
Opcode Fuzzy Hash: 9edf0b67757a5653144ea4b88329861579680baa95beb3112be26b7fab486383
Instruction Fuzzy Hash: BD912575A083059FC705DF28C481A6AB7E4FF89314F14896EF88A9B351DB31EE45CB92

Function 003C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 003A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0039FF41,80070057,?,?,?,003A035E), ref: 003A002B
Part of subcall function 003A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0039FF41,80070057,?,?), ref: 003A0046
Part of subcall function 003A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0039FF41,80070057,?,?), ref: 003A0054
Part of subcall function 003A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0039FF41,80070057,?), ref: 003A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 003C4C51
_wcslen.LIBCMT ref: 003C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 003C4DCF
CoTaskMemFree.OLE32(?), ref: 003C4DDA

Strings

NULL Pointer assignment, xrefs: 003C4E23, 003C4E52

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: d8fb11d95d9e173c7ab7ea3a726812626a3567012381d6920b24a2f5a196e617
Instruction ID: 31e486a2d57fe49b86d6e52e19d98bf2af9119c7234bca4d24058ca3c7c3f366
Opcode Fuzzy Hash: d8fb11d95d9e173c7ab7ea3a726812626a3567012381d6920b24a2f5a196e617
Instruction Fuzzy Hash: 1A91F571D00219AFDF16DFA4D891EEEB7B8BF08314F11816AE915AB251DB30AE44CF60

Function 003D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 003D2183
GetMenuItemCount.USER32(00000000), ref: 003D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003D21DD
_wcslen.LIBCMT ref: 003D2213
GetMenuItemID.USER32(?,?), ref: 003D224D
GetSubMenu.USER32(?,?), ref: 003D225B

Part of subcall function 003A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003A3A57
Part of subcall function 003A3A3D: GetCurrentThreadId.KERNEL32 ref: 003A3A5E
Part of subcall function 003A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003A25B3), ref: 003A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003D22E3

Part of subcall function 003AE97B: Sleep.KERNEL32 ref: 003AE9F3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 232ae45546b9e14ce6378f9a7dd30bfdb3d379676b3ed5d91982939008afc844
Instruction ID: 5834ba3fcb873590f6249021a71206967fc382bd304cab012fcd558a919ae88c
Opcode Fuzzy Hash: 232ae45546b9e14ce6378f9a7dd30bfdb3d379676b3ed5d91982939008afc844
Instruction Fuzzy Hash: 7D71AD76E00205AFCB02DF64D841AAEB7F5EF58310F15885AF816EB351DB35EE418B90

Function 003D7E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(016349C8), ref: 003D7F37
IsWindowEnabled.USER32(016349C8), ref: 003D7F43
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 003D801E
SendMessageW.USER32(016349C8,000000B0,?,?), ref: 003D8051
IsDlgButtonChecked.USER32(?,?), ref: 003D8089
GetWindowLongW.USER32(016349C8,000000EC), ref: 003D80AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003D80C3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 23baf10f6e91ed824d23dc75ffae3d9a8c7c7915eaa011f3b6f9c82e86904979
Instruction ID: 94485a8128d19f3a5d1137d0b0e1a016a7460a605dbab9e29916a8bea95d2de9
Opcode Fuzzy Hash: 23baf10f6e91ed824d23dc75ffae3d9a8c7c7915eaa011f3b6f9c82e86904979
Instruction Fuzzy Hash: 9771A076608204AFEB339F54E884FEABBBDEF09300F15405BE955973A1DB31A945CB10

Function 003AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 003AAEF9
GetKeyboardState.USER32(?), ref: 003AAF0E
SetKeyboardState.USER32(?), ref: 003AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 003AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 003AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 003AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003AB020

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1bfb8280f39c989943767dca72e73e37acfd8897d0624903207516af1b7ea24b
Instruction ID: 4b438c5ad840164e945430688b4b0087d4d220e49dc3e0930a913a303b42c135
Opcode Fuzzy Hash: 1bfb8280f39c989943767dca72e73e37acfd8897d0624903207516af1b7ea24b
Instruction Fuzzy Hash: BD51B1A1614BD53DFB3B82348C45BBABEA99B07304F09858AE1D9598C3C398A8C8D751

Function 003AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003AAD19
GetKeyboardState.USER32(?), ref: 003AAD2E
SetKeyboardState.USER32(?), ref: 003AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003AAE38

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: ba84b72c49b2c54a44e962533f441489802fba9eace6e226125cf9ac09ff2044
Instruction ID: c911c6ccbb5f66de5d72b2b4364086130ebe50e6366dc8e9a1a73485987dc865
Opcode Fuzzy Hash: ba84b72c49b2c54a44e962533f441489802fba9eace6e226125cf9ac09ff2044
Instruction Fuzzy Hash: 7A51E3A2514BD53DFB3783348C55B7ABEA8EB47300F088489E1D54A8C3D394EC88E762

Function 0037542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00383CD6,?,?,?,?,?,?,?,?,00375BA3,?,?,00383CD6,?,?), ref: 00375470
__fassign.LIBCMT ref: 003754EB
__fassign.LIBCMT ref: 00375506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00383CD6,00000005,00000000,00000000), ref: 0037552C
WriteFile.KERNEL32(?,00383CD6,00000000,00375BA3,00000000,?,?,?,?,?,?,?,?,?,00375BA3,?), ref: 0037554B
WriteFile.KERNEL32(?,?,00000001,00375BA3,00000000,?,?,?,?,?,?,?,?,?,00375BA3,?), ref: 00375584

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 2310e985948671fb10a51a4a5b54c278565070d982d92265baf5ac7bfbe27e5d
Instruction ID: fd83b5da430f6c74ae469eee20019c08b15fbe95f4fa8b44c483c12ff6f16549
Opcode Fuzzy Hash: 2310e985948671fb10a51a4a5b54c278565070d982d92265baf5ac7bfbe27e5d
Instruction Fuzzy Hash: A951F970A006499FDB26CFA8D841AEEBBF9EF09310F14811EF55AE7291D774DA41CB60

Function 003C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003C307A
Part of subcall function 003C304E: _wcslen.LIBCMT ref: 003C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003C1112
WSAGetLastError.WSOCK32 ref: 003C1121
WSAGetLastError.WSOCK32 ref: 003C11C9
closesocket.WSOCK32(00000000), ref: 003C11F9

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: bb08c61c9ea4e64351fe7da1fac6e491db5f03b919244912a0b942693654023f
Instruction ID: 20a424ca23f7038fec94d79bd6234cee39e6fe8e02cad223318491e16a11c8dd
Opcode Fuzzy Hash: bb08c61c9ea4e64351fe7da1fac6e491db5f03b919244912a0b942693654023f
Instruction Fuzzy Hash: 21411431610205AFDB129F14D885FAAB7E9EF46324F188059FD16DF292C778EE41CBA0

Function 003ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003ACF22,?), ref: 003ADDFD

Part of subcall function 003ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003ACF22,?), ref: 003ADE16

lstrcmpiW.KERNEL32(?,?), ref: 003ACF45
MoveFileW.KERNEL32(?,?), ref: 003ACF7F
_wcslen.LIBCMT ref: 003AD005
_wcslen.LIBCMT ref: 003AD01B
SHFileOperationW.SHELL32(?), ref: 003AD061

Strings

\*.*, xrefs: 003ACFF3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: c28a9eacc191a97539df82b837e4dededaad825df017723f635bf9c672904e29
Instruction ID: 9142b6f4ff7e5964d1162aca6718c42b395cf1aaf1b81577ebbd5cefb1b606da
Opcode Fuzzy Hash: c28a9eacc191a97539df82b837e4dededaad825df017723f635bf9c672904e29
Instruction Fuzzy Hash: 994151719452199FDF13EBA4D981ADEB7BCEF09780F1000E6E505EB142EB34AB88CB50

Function 003D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 003D2E1C
GetWindowLongW.USER32(?,000000F0), ref: 003D2E4F
GetWindowLongW.USER32(?,000000F0), ref: 003D2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 003D2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 003D2EE0
GetWindowLongW.USER32(?,000000F0), ref: 003D2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003D2F0B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 2ed3bee5f2177a9f8116018ac6fcc812a45a265a0392db38d7cc7715b378cabe
Instruction ID: 78df12705a835ef0f1a393ea3f3c81ecb393331479f7bc51adf35cfdbbf28a11
Opcode Fuzzy Hash: 2ed3bee5f2177a9f8116018ac6fcc812a45a265a0392db38d7cc7715b378cabe
Instruction Fuzzy Hash: 973115326551419FDB22CF19EC84FA637E5FBAA710F1A51A6FA108F2B1CB71E840DB00

Function 003A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003A778F
SysAllocString.OLEAUT32(00000000), ref: 003A7792
SysAllocString.OLEAUT32(?), ref: 003A77B0
SysFreeString.OLEAUT32(?), ref: 003A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 003A77DE
SysAllocString.OLEAUT32(?), ref: 003A77EC

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 965cc40191440778c96651384e268b8e77e812564e68b2b858bb38e836bdd2dd
Instruction ID: c90a8b2171ddc100678d6786b7447156da6c8e3ce1980d459566e81a74b4e911
Opcode Fuzzy Hash: 965cc40191440778c96651384e268b8e77e812564e68b2b858bb38e836bdd2dd
Instruction Fuzzy Hash: EB21C476615219AFDF12DFA8DC88CFB73ACEB0A364B008126F914DB160D670DC41C760

Function 003A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003A7868
SysAllocString.OLEAUT32(00000000), ref: 003A786B
SysAllocString.OLEAUT32 ref: 003A788C
SysFreeString.OLEAUT32 ref: 003A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 003A78AF
SysAllocString.OLEAUT32(?), ref: 003A78BD

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 7063ca25d4fe053cbee18716a3e92a64bab2080b315c19108bc25af4232d039c
Instruction ID: dfff66fe54ab91475e216b71c25dbb9b01914e442130f89c8fb7600d12fcdf15
Opcode Fuzzy Hash: 7063ca25d4fe053cbee18716a3e92a64bab2080b315c19108bc25af4232d039c
Instruction Fuzzy Hash: 1821C131618205AFDB12AFB8DCCDDAA77ECEF0A360B108125F914CB2A4D678DC41CB64

Function 003B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003B052E

Strings

nul, xrefs: 003B0567

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: a8cb1505afb66f3459e3b53a31169df96630cb746d4f220899ebeb8887aa996a
Instruction ID: 10b85625f86f8093413fd94a651ce83fdc0cdd945aec232a4422e16e73b9dd13
Opcode Fuzzy Hash: a8cb1505afb66f3459e3b53a31169df96630cb746d4f220899ebeb8887aa996a
Instruction Fuzzy Hash: C12182755043059FDF359F69DC04ADB77E8AF46728F204A1AFAA1D69E0D7709940CF20

Function 003B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003B0601

Strings

nul, xrefs: 003B0639

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 3391fbb6624849df9755bb5e1146b17b8739173672523da165c4cc4227184952
Instruction ID: f9139d0d7b550ce5ab4ac1c1abae55e8223e88684bfb1954419cfe71fc3f63a8
Opcode Fuzzy Hash: 3391fbb6624849df9755bb5e1146b17b8739173672523da165c4cc4227184952
Instruction Fuzzy Hash: 312171755003059BDB269F69DC04BDB77E8FF95728F200B1AEAA1E76E0D7709860CB10

Function 003D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0034600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0034604C
Part of subcall function 0034600E: GetStockObject.GDI32(00000011), ref: 00346060
Part of subcall function 0034600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0034606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003D4145

Strings

Msctls_Progress32, xrefs: 003D40E3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: f776c028c16318129e44126109be1c8e82e238ae7867d10ee8b077f080a2943f
Instruction ID: 0420a046dd932928cd7a41d0c76fc612d69b4b1a01aef5f1926f0165f5e3ea0d
Opcode Fuzzy Hash: f776c028c16318129e44126109be1c8e82e238ae7867d10ee8b077f080a2943f
Instruction Fuzzy Hash: D41193B2150219BFEF119F64DC86EE77F6DEF08798F014111B718A6190C6769C21DBA4

Function 0037D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0037D7A3: _free.LIBCMT ref: 0037D7CC

_free.LIBCMT ref: 0037D82D

Part of subcall function 003729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000), ref: 003729DE
Part of subcall function 003729C8: GetLastError.KERNEL32(00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000,00000000), ref: 003729F0

_free.LIBCMT ref: 0037D838
_free.LIBCMT ref: 0037D843
_free.LIBCMT ref: 0037D897
_free.LIBCMT ref: 0037D8A2
_free.LIBCMT ref: 0037D8AD
_free.LIBCMT ref: 0037D8B8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: b41c83cf2b6ba47429a9b127b81e53f1e1f9620842be642776a701f50eadfbca
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 4D114F71540B44AAD533BFB4CC87FCBBBEC6F42700F448825B29DAE092DB6AB5554650

Function 003ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003ADA74
LoadStringW.USER32(00000000), ref: 003ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003ADA91
LoadStringW.USER32(00000000), ref: 003ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003ADAB9

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 1e62b4e6748a42a094396466925bc91774cdad267da7f123731ebad38d95ef92
Instruction ID: a7d8ed84bbc967b904ff0dc387030d503feb8ccc0ae34fe1214f6a340e4e6a8a
Opcode Fuzzy Hash: 1e62b4e6748a42a094396466925bc91774cdad267da7f123731ebad38d95ef92
Instruction Fuzzy Hash: CB0186F69202197FE7129BA4ED89EEB336CE709301F401593B746E2041EA749E848F74

Function 003B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0162E108,0162E108), ref: 003B097B
EnterCriticalSection.KERNEL32(0162E0E8,00000000), ref: 003B098D
TerminateThread.KERNEL32(?,000001F6), ref: 003B099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 003B09A9
CloseHandle.KERNEL32(?), ref: 003B09B8
InterlockedExchange.KERNEL32(0162E108,000001F6), ref: 003B09C8
LeaveCriticalSection.KERNEL32(0162E0E8), ref: 003B09CF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 83e13c41e838a67109e423156d8146e93c8d583f8f82a8c2ebe8c5abac7fc921
Instruction ID: 8ea2016c27f67fe092f9cdb14b641e1ee9c6108911fc97eca91db530fc37b894
Opcode Fuzzy Hash: 83e13c41e838a67109e423156d8146e93c8d583f8f82a8c2ebe8c5abac7fc921
Instruction Fuzzy Hash: 34F019324A3A13ABDB565BA4EE88BD6BB39BF01702F402526F202908A0C7749465CF90

Function 003C1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 003C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003C1DE1
WSAGetLastError.WSOCK32 ref: 003C1DF2
htons.WSOCK32(?,?,?,?,?), ref: 003C1EDB
inet_ntoa.WSOCK32(?), ref: 003C1E8C

Part of subcall function 003A39E8: _strlen.LIBCMT ref: 003A39F2

Part of subcall function 003C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,003BEC0C), ref: 003C3240

_strlen.LIBCMT ref: 003C1F35

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 26fcfa3edd4dfff48b3d7c17c3df21bd3b0213c86a615af89fe0f69f6ffbca63
Instruction ID: 2be7afc647101b279b777f1e6f5c3318b02d88cfcd65a4318de0c17f656f3f15
Opcode Fuzzy Hash: 26fcfa3edd4dfff48b3d7c17c3df21bd3b0213c86a615af89fe0f69f6ffbca63
Instruction Fuzzy Hash: B8B19B71204340AFC326DF24C895F2AB7E5AF86318F558A4CF4569F2A2CB71ED46CB91

Function 00345D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00345D30
GetWindowRect.USER32(?,?), ref: 00345D71
ScreenToClient.USER32(?,?), ref: 00345D99
GetClientRect.USER32(?,?), ref: 00345ED7
GetWindowRect.USER32(?,?), ref: 00345EF8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9fc380b76b0cf1318a14c038b99e3e0a528b56693acaf20dbd8f7e07dc445264
Instruction ID: 6dd916f61d753c9053202efae1b541617f47121210f727ef008dde100a81905b
Opcode Fuzzy Hash: 9fc380b76b0cf1318a14c038b99e3e0a528b56693acaf20dbd8f7e07dc445264
Instruction Fuzzy Hash: 57B18834A10B4ADBDB11DFA9C4807EEB7F5FF48310F14941AE8A9DB650DB34AA81CB50

Function 003701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 003700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003700D6
__allrem.LIBCMT ref: 003700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0037010B
__allrem.LIBCMT ref: 00370122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00370140

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 66b5ad4d9aff639cc0a99b3314eb6e5fb518c6a056a4227cb41a5a4f52a170ba
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: D4811575A00706DFE736AE28DC41B6BB3A8AF41724F25C23AF514DA681E7B8D9008B50

Function 003761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,003682D9,003682D9,?,?,?,0037644F,00000001,00000001,8BE85006), ref: 00376258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0037644F,00000001,00000001,8BE85006,?,?,?), ref: 003762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 003763D8
__freea.LIBCMT ref: 003763E5

Part of subcall function 00373820: RtlAllocateHeap.NTDLL(00000000,?,00411444,?,0035FDF5,?,?,0034A976,00000010,00411440,003413FC,?,003413C6,?,00341129), ref: 00373852

__freea.LIBCMT ref: 003763EE
__freea.LIBCMT ref: 00376413

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: fab2e98e60ab201a055af7d443c20d70391f5649aa40711342584979d691d9df
Instruction ID: dcab09dae16ebbab21ed7a7140c519513fdc4361f3f144d5130dbcf344802a2d
Opcode Fuzzy Hash: fab2e98e60ab201a055af7d443c20d70391f5649aa40711342584979d691d9df
Instruction Fuzzy Hash: D251E272600A16ABEB378F64CC92EAF77A9EF44710F168629FC09DA151DB38DC44D760

Function 003CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Part of subcall function 003CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003CB6AE,?,?), ref: 003CC9B5
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CC9F1
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CCA68
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003CBD25
RegCloseKey.ADVAPI32(00000000), ref: 003CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 003CBDF3
RegCloseKey.ADVAPI32(?), ref: 003CBDFF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: a0ff1d320c4261b167dbb6e605aa5b6a6a5ac160f6cce3fd48308735de87cf70
Instruction ID: 82b5528549c7a132485e4085fb5343295369d1e9559e3084b5205e6d826eb65f
Opcode Fuzzy Hash: a0ff1d320c4261b167dbb6e605aa5b6a6a5ac160f6cce3fd48308735de87cf70
Instruction Fuzzy Hash: E7816E70118241AFD716DF24C886E2ABBE9FF84308F14855DF55A8F2A2DB31ED45CB92

Function 0039F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0039F7B9
SysAllocString.OLEAUT32(00000001), ref: 0039F860
VariantCopy.OLEAUT32(0039FA64,00000000), ref: 0039F889
VariantClear.OLEAUT32(0039FA64), ref: 0039F8AD
VariantCopy.OLEAUT32(0039FA64,00000000), ref: 0039F8B1
VariantClear.OLEAUT32(?), ref: 0039F8BB

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 6cb2f2323670133e87bafb7f343ee8fa98bf38f253f5546e48df1ffe9e3b1982
Instruction ID: c2d4ed1c96ee9dcc1355c1a83659b73933fadd33c984a46b6a1b3b5946b3f6db
Opcode Fuzzy Hash: 6cb2f2323670133e87bafb7f343ee8fa98bf38f253f5546e48df1ffe9e3b1982
Instruction Fuzzy Hash: 5C51EE31610310BEDF62AB65D895B69B3E8EF45320F249467E806DF296DB70DC40CBA6

Function 003B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00347620: _wcslen.LIBCMT ref: 00347625

Part of subcall function 00346B57: _wcslen.LIBCMT ref: 00346B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 003B94E5
_wcslen.LIBCMT ref: 003B9506
_wcslen.LIBCMT ref: 003B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 003B9585

Strings

X, xrefs: 003B9412

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 718e593c65907fa015a1ec5cc5b06c8c099aa46052a24a451451a3f8f9acf9d3
Instruction ID: 4e19c9f721b7aaf864c6b9356d1a0da025a6586e83503b6f41f8eb6ae10997bc
Opcode Fuzzy Hash: 718e593c65907fa015a1ec5cc5b06c8c099aa46052a24a451451a3f8f9acf9d3
Instruction Fuzzy Hash: 06E194315043409FD726DF24C481BAAB7E4BF85314F15896EFA899F2A2DB31ED05CB92

Function 0035920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00359BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00359BB2

BeginPaint.USER32(?,?,?), ref: 00359241
GetWindowRect.USER32(?,?), ref: 003592A5
ScreenToClient.USER32(?,?), ref: 003592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 003592D3
EndPaint.USER32(?,?,?,?,?), ref: 00359321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003971EA

Part of subcall function 00359339: BeginPath.GDI32(00000000), ref: 00359357

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 5913b0a8f0011c26ffd7fc7bf7f241a4ec28a223ed1ce5c9fd23fc07e9e2bed0
Instruction ID: 7253b7ac838c07249e542582d90fd910251d762c89b57a181d943f6bc1029396
Opcode Fuzzy Hash: 5913b0a8f0011c26ffd7fc7bf7f241a4ec28a223ed1ce5c9fd23fc07e9e2bed0
Instruction Fuzzy Hash: D841BD70115301EFDB12DF24DC85FBA7BA8EB59321F04466AFAA48B2F1C7309849DB61

Function 003B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 003B0847
EnterCriticalSection.KERNEL32(?), ref: 003B0863
LeaveCriticalSection.KERNEL32(?), ref: 003B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 003B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 003B0921

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 85202f1793d0c4b43330086ca5f929024760eefc090babcb9e8256097c6cfbc1
Instruction ID: 79bc93b43662c14fbda756742c95ee85fc7efa2c52cebb8c929a433758d4018a
Opcode Fuzzy Hash: 85202f1793d0c4b43330086ca5f929024760eefc090babcb9e8256097c6cfbc1
Instruction Fuzzy Hash: AE416A71910205EFDF1AAF54DC85AAAB7B8FF04304F1440A5ED00EE2A6D730DE64DBA4

Function 003D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0039F3AB,00000000,?,?,00000000,?,0039682C,00000004,00000000,00000000), ref: 003D824C
EnableWindow.USER32(?,00000000), ref: 003D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 003D82D1
ShowWindow.USER32(?,00000004), ref: 003D82E5
EnableWindow.USER32(?,00000001), ref: 003D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003D832F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 1c5b13f7a81e1e85568aadf4017572bd866a3205a3b3ac93247ff90d5b71f418
Instruction ID: ea7b7205078ccd0a288153d1949eb664ef2bf372a20c4f6b0eb9fda88f363569
Opcode Fuzzy Hash: 1c5b13f7a81e1e85568aadf4017572bd866a3205a3b3ac93247ff90d5b71f418
Instruction Fuzzy Hash: 5841C379611640AFDB13CF25EC99BE47BF0BB0A714F1952AAE6184B372CB31B845CB40

Function 003A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003A4CEA
_wcslen.LIBCMT ref: 003A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003A4D10
_wcsstr.LIBVCRUNTIME ref: 003A4D1A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: f242675698945d2cbf0fd8976ffbbbf2908ec32118843d730642e107c6bebf05
Instruction ID: 402717229a7cd7305160df56f2e7ea2c73cd44284f0a4768c2cafde4cbbf5924
Opcode Fuzzy Hash: f242675698945d2cbf0fd8976ffbbbf2908ec32118843d730642e107c6bebf05
Instruction Fuzzy Hash: 2F21F9716152017BEB175B39AC4AE7BBB9CDF86750F15803AF809CE192EFA1DC00D6A0

Function 003B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00343AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00343A97,?,?,00342E7F,?,?,?,00000000), ref: 00343AC2

_wcslen.LIBCMT ref: 003B587B
CoInitialize.OLE32(00000000), ref: 003B5995
CoCreateInstance.OLE32(003DFCF8,00000000,00000001,003DFB68,?), ref: 003B59AE
CoUninitialize.OLE32 ref: 003B59CC

Strings

.lnk, xrefs: 003B5876, 003B58C1, 003B5985

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 20adf1783c094766da9dd1c471228a622518942bd0da01aa2c1bf0ebf15f2614
Instruction ID: 5dea710432acad5bb00ff658d4f75fa68fe8c16355a0bcf1df768481ac0772bd
Opcode Fuzzy Hash: 20adf1783c094766da9dd1c471228a622518942bd0da01aa2c1bf0ebf15f2614
Instruction Fuzzy Hash: 8FD18371A087019FC706DF24C480A6ABBE5FF89718F11885DF98A9B361DB31ED05CB92

Function 003A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003A0FCA
Part of subcall function 003A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003A0FD6
Part of subcall function 003A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003A0FE5
Part of subcall function 003A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003A0FEC
Part of subcall function 003A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003A1002

GetLengthSid.ADVAPI32(?,00000000,003A1335), ref: 003A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003A17BA
HeapAlloc.KERNEL32(00000000), ref: 003A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 003A17DA
GetProcessHeap.KERNEL32(00000000,00000000,003A1335), ref: 003A17EE
HeapFree.KERNEL32(00000000), ref: 003A17F5

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: d8f30255b438925e4ec8687a5360531d59296c555023ef7cf8a6fda1e9138ac0
Instruction ID: 8537bbce19202fd854eac356b7c7b857d6e9174cc90a7577143c2331f4505670
Opcode Fuzzy Hash: d8f30255b438925e4ec8687a5360531d59296c555023ef7cf8a6fda1e9138ac0
Instruction Fuzzy Hash: 1011BB32621216FFDB229FA4DC49FAE7BADEB42355F105019F481A7290C736A940CB60

Function 003A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 003A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003A1515
CloseHandle.KERNEL32(00000004), ref: 003A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 003A1563

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 57aabb9fdfd9ee17ef63620bbfe9fca228c3f1df44397ed8b800dbbf31dafdf7
Instruction ID: 0299545a56ac6c06a0cbbc12c257ef2bc566b7b7bee8ee9a0654b4fa007e21cb
Opcode Fuzzy Hash: 57aabb9fdfd9ee17ef63620bbfe9fca228c3f1df44397ed8b800dbbf31dafdf7
Instruction Fuzzy Hash: E711267251120AAFDF128FA8ED49BDE7BADEF4A744F054125FA05A20A0C375CE60DB60

Function 00363382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00363379,00362FE5), ref: 00363390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0036339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 003633B7
SetLastError.KERNEL32(00000000,?,00363379,00362FE5), ref: 00363409

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9395268270f19ee582569738e57e297f9c22f37949b79b2bfcdb6faca69dc214
Instruction ID: d27ad6bfe0b8a7302133d76e1519cfdb64bc9971ae80f11773984a2cffd54b30
Opcode Fuzzy Hash: 9395268270f19ee582569738e57e297f9c22f37949b79b2bfcdb6faca69dc214
Instruction Fuzzy Hash: 3B012436609311BEEB2727B5BDC55672AA8EB05379730833AF410992F8EF214D11D548

Function 00372D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00375686,00383CD6,?,00000000,?,00375B6A,?,?,?,?,?,0036E6D1,?,00408A48), ref: 00372D78
_free.LIBCMT ref: 00372DAB
_free.LIBCMT ref: 00372DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0036E6D1,?,00408A48,00000010,00344F4A,?,?,00000000,00383CD6), ref: 00372DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0036E6D1,?,00408A48,00000010,00344F4A,?,?,00000000,00383CD6), ref: 00372DEC
_abort.LIBCMT ref: 00372DF2

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: e289fc66e492274aad616838247ad4cd8f27cd41d5785a4b6ec2da3fad36b511
Instruction ID: 672df9f7ec762b14c5a18646f516866b9645fc7f449dbed8e57394dcca39993a
Opcode Fuzzy Hash: e289fc66e492274aad616838247ad4cd8f27cd41d5785a4b6ec2da3fad36b511
Instruction Fuzzy Hash: 60F0C83594560177C7332778BC06E5B266DAFC27A1F26C51DF83CAA1D6EF3C88419560

Function 003D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00359639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00359693
Part of subcall function 00359639: SelectObject.GDI32(?,00000000), ref: 003596A2
Part of subcall function 00359639: BeginPath.GDI32(?), ref: 003596B9
Part of subcall function 00359639: SelectObject.GDI32(?,00000000), ref: 003596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 003D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 003D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 003D8A70
LineTo.GDI32(?,00000000,00000003), ref: 003D8A80
EndPath.GDI32(?), ref: 003D8A90
StrokePath.GDI32(?), ref: 003D8AA0

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a9429a4173c02161bb885127caa6f4fc8aee0e680d89cdbc0596de50c48c944d
Instruction ID: bd2b9377e28705cb67c2dc3c01aa6c1c4aeb2f42bfdae1a0935e948aa624673d
Opcode Fuzzy Hash: a9429a4173c02161bb885127caa6f4fc8aee0e680d89cdbc0596de50c48c944d
Instruction Fuzzy Hash: 4C110576011149FFEF129F90EC88EEA7F6CEB08350F008022BA199A1A1C771AD55DBA0

Function 003A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 003A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003A5230
ReleaseDC.USER32(00000000,00000000), ref: 003A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 003A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 003A5261

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 9776c559a17087fb628bd802a4a2092d4dd414a4fd48821aa258c837d593aee5
Instruction ID: 89f95d1b40aca86a16dfec3984ebbe57581d2ed480f114732476669407decc3e
Opcode Fuzzy Hash: 9776c559a17087fb628bd802a4a2092d4dd414a4fd48821aa258c837d593aee5
Instruction Fuzzy Hash: F8018F75E11719BBEB119BA59C49B4EBFB8EF48351F084066FA04AB280D670D800CBA0

Function 00341BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00341BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00341BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00341C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00341C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00341C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00341C22

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: b93b131f846331f39d19f2a8cc313dc89475f99894abe6915526237d77910694
Instruction ID: eea22b97b11070f2a7b8cb58b575ca73e755f3abd99df3d78a05cec913827947
Opcode Fuzzy Hash: b93b131f846331f39d19f2a8cc313dc89475f99894abe6915526237d77910694
Instruction Fuzzy Hash: A00167B0902B5ABDE3008F6A8C85B52FFA8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 003AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 003AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003AEB75

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 96d3c222c710a6b3e6220ee2452911d479b72f4539065185b12cf6df95df1faa
Instruction ID: bbd0734d722502127f1e79e765a8a912bc0603e2d6f942a95910cce6720dc634
Opcode Fuzzy Hash: 96d3c222c710a6b3e6220ee2452911d479b72f4539065185b12cf6df95df1faa
Instruction Fuzzy Hash: 1FF05472162169BBEB225B52AC0EEEF7F7CEFCBB11F00115AF601D1191D7A05A01C6B5

Function 00397439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00397452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00397469
GetWindowDC.USER32(?), ref: 00397475
GetPixel.GDI32(00000000,?,?), ref: 00397484
ReleaseDC.USER32(?,00000000), ref: 00397496
GetSysColor.USER32(00000005), ref: 003974B0

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b026192c5929855a858889e43fb37d95949b0734b8e72424d399aab0c2d72ba9
Instruction ID: 85a56742d35c5137d6b8e51b0c56c20b78c8757c9b2b382cfb35e0ae15082814
Opcode Fuzzy Hash: b026192c5929855a858889e43fb37d95949b0734b8e72424d399aab0c2d72ba9
Instruction Fuzzy Hash: 25018B31425216EFEB125FA5EC08BEEBBBAFB04311F151161F925A21A1CB311E41EB10

Function 003A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003A187F
UnloadUserProfile.USERENV(?,?), ref: 003A188B
CloseHandle.KERNEL32(?), ref: 003A1894
CloseHandle.KERNEL32(?), ref: 003A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 003A18A5
HeapFree.KERNEL32(00000000), ref: 003A18AC

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8796903c6fedf3bc07736031085206b06697f79302c557395d77c2252bef6796
Instruction ID: f183b75b134d702698441219ad4deb8b7366b7e4813033ca786c67f4a08af5b2
Opcode Fuzzy Hash: 8796903c6fedf3bc07736031085206b06697f79302c557395d77c2252bef6796
Instruction Fuzzy Hash: BAE0C236065112BBDB026BA1FD0C90ABB2DFB49B22B109222F225810B0CB329420DB50

Function 0034BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0034BEB3

Strings

D%A, xrefs: 0034BDED, 0034BD91, 0034BD1B
D%A, xrefs: 0034BCA2
D%AD%A, xrefs: 0034BCA5
D%A, xrefs: 0034BE9A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%A$D%A$D%A$D%AD%A
API String ID: 1385522511-1146282348
Opcode ID: ea829e7d08dabdf15c73ce8b1b7db0b19beaf20813a146e2e1c520b4a02a249f
Instruction ID: 566d66a17263266b64db1723b3b27521f8a2726e04221c1127524cab3ab015b8
Opcode Fuzzy Hash: ea829e7d08dabdf15c73ce8b1b7db0b19beaf20813a146e2e1c520b4a02a249f
Instruction Fuzzy Hash: 4F914775A0021ADFCB19CF68C0D06AAFBF6FF59310B25816AD941AB350E771ED81CB90

Function 003C7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00360242: EnterCriticalSection.KERNEL32(0041070C,00411884,?,?,0035198B,00412518,?,?,?,003412F9,00000000), ref: 0036024D
Part of subcall function 00360242: LeaveCriticalSection.KERNEL32(0041070C,?,0035198B,00412518,?,?,?,003412F9,00000000), ref: 0036028A

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Part of subcall function 003600A3: __onexit.LIBCMT ref: 003600A9

__Init_thread_footer.LIBCMT ref: 003C7BFB

Part of subcall function 003601F8: EnterCriticalSection.KERNEL32(0041070C,?,?,00358747,00412514), ref: 00360202
Part of subcall function 003601F8: LeaveCriticalSection.KERNEL32(0041070C,?,00358747,00412514), ref: 00360235

Strings

G, xrefs: 003C7C7F
Variable must be of type 'Object'., xrefs: 003C7C3A
+T9, xrefs: 003C7E2E
5, xrefs: 003C7C78

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T9$5$G$Variable must be of type 'Object'.
API String ID: 535116098-3698753954
Opcode ID: bf7c3a75a87f4476f02ce76c1e41bc55f7725afe290d5f964961852ea7386436
Instruction ID: 87b5666372d13839ec7df0fecde473f3a963c86268a2f79de92e644a5b67095c
Opcode Fuzzy Hash: bf7c3a75a87f4476f02ce76c1e41bc55f7725afe290d5f964961852ea7386436
Instruction Fuzzy Hash: 5B917A74A04209AFCB16EF94D895EADBBB5FF49300F10805DF806AB292DB71AE45CF51

Function 003AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00347620: _wcslen.LIBCMT ref: 00347625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003AC6EE
_wcslen.LIBCMT ref: 003AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003AC7CA

Strings

0, xrefs: 003AC6AF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: fc330b877bce46cb9ef26b2e036defb45ae03bf1c1d63ac58cc0a326e25f38ec
Instruction ID: c885fed532dd283669f84089d6bf2bc40d2c58d87a1d80cb202509e7c12be68d
Opcode Fuzzy Hash: fc330b877bce46cb9ef26b2e036defb45ae03bf1c1d63ac58cc0a326e25f38ec
Instruction Fuzzy Hash: F051FF716243009FD713DF28C885BABB7E8EF4A310F042A29F9A1D71A0DB65D804CF56

Function 003CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 003CAEA3

Part of subcall function 00347620: _wcslen.LIBCMT ref: 00347625

GetProcessId.KERNEL32(00000000), ref: 003CAF38
CloseHandle.KERNEL32(00000000), ref: 003CAF67

Strings

<, xrefs: 003CAE6B
@, xrefs: 003CAE72

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 3f326105bbbcf265a4c9e1e7e224878fd38f115dc589d9fae98650f2b653c340
Instruction ID: 5f2f7ff7ef8f30ece0df98174c88b4344f42da95dcd652fc80bf23c7abf20f64
Opcode Fuzzy Hash: 3f326105bbbcf265a4c9e1e7e224878fd38f115dc589d9fae98650f2b653c340
Instruction Fuzzy Hash: 28713574A00A19DFCB16EF64C485A9EBBF0EF08314F05849DE816AF262CB75ED45CB91

Function 003A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003A72CF

Strings

DllGetClassObject, xrefs: 003A7242

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 1af0e092d79911b9c82e4f7c63cdb6a50f4f70ce0603879d148260e33243ce4b
Instruction ID: f8888698807607cb02c74caf949aa6a2803031eef8509c7a1aa5f5d1e754cacd
Opcode Fuzzy Hash: 1af0e092d79911b9c82e4f7c63cdb6a50f4f70ce0603879d148260e33243ce4b
Instruction Fuzzy Hash: 0A418E71A04204EFDB16CF54CCC4B9A7BA9EF4A310F1584AABD059F20AD7B5D941CBA0

Function 003D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003D3E35
IsMenu.USER32(?), ref: 003D3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003D3E92
DrawMenuBar.USER32 ref: 003D3EA5

Strings

0, xrefs: 003D3D89

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 93dd3290fa4d76db1d8158e297b9ab19a8999d2ccb6ab016deeb0fad198e235b
Instruction ID: 31091285d27ace7625e810515e868869be9bada30da726fcc49750f1e33ccfb1
Opcode Fuzzy Hash: 93dd3290fa4d76db1d8158e297b9ab19a8999d2ccb6ab016deeb0fad198e235b
Instruction Fuzzy Hash: D5414977A11209AFDB11DF50E884AEABBBAFF49350F05412AF9159B390D730AE44CF51

Function 003A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Part of subcall function 003A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 003A1EA9

Part of subcall function 00346B57: _wcslen.LIBCMT ref: 00346B6A

Strings

ListBox, xrefs: 003A1E25
ComboBox, xrefs: 003A1DF0

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 7bf5ccf2d3681614f1d3a7b023d8d584f39e5469b9c64e11a35be34fef13e1c9
Instruction ID: 0cb7b409a288631a0467b3caf570eb280e0055c8093c82c23399dde37692c01c
Opcode Fuzzy Hash: 7bf5ccf2d3681614f1d3a7b023d8d584f39e5469b9c64e11a35be34fef13e1c9
Instruction Fuzzy Hash: 3D212771A00104BEDB16AB64DC46DFFB7BDDF46360F14412AF825AB1E1DB345D09C620

Function 003D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003D2F8D
LoadLibraryW.KERNEL32(?), ref: 003D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003D2FA9
DestroyWindow.USER32(?), ref: 003D2FB1

Strings

SysAnimate32, xrefs: 003D2F68

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: b0ae96bda4742fb8dc257631831f2a44e084e5079ba6b64a764aff0d83382658
Instruction ID: 1204b45bdbaf80d59b505e9d4f5a19b648668cc9f500efa596cfb5ba2ff5e2bc
Opcode Fuzzy Hash: b0ae96bda4742fb8dc257631831f2a44e084e5079ba6b64a764aff0d83382658
Instruction Fuzzy Hash: 5D21DC72214205ABEB124F64EC80EBB77BDEF69324F114A2AFA50D62A0C771DC41A760

Function 00364D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00364D1E,003728E9,?,00364CBE,003728E9,004088B8,0000000C,00364E15,003728E9,00000002), ref: 00364D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00364DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00364D1E,003728E9,?,00364CBE,003728E9,004088B8,0000000C,00364E15,003728E9,00000002,00000000), ref: 00364DC3

Strings

mscoree.dll, xrefs: 00364D86
CorExitProcess, xrefs: 00364D98

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e923a7022bcc5eaf846e587f51b6106581b35a54e81ddc3bb33d9896d66c8738
Instruction ID: 755168b9dec95b26ed964a663d0c374cad51b572927435a4b17cccbc8b597e41
Opcode Fuzzy Hash: e923a7022bcc5eaf846e587f51b6106581b35a54e81ddc3bb33d9896d66c8738
Instruction Fuzzy Hash: 97F0AF74A21219FBDB169F90EC49BEEBBB8EF44751F0042A5F805A22A0CF705980CA90

Function 00344E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00344EDD,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00344EAE
FreeLibrary.KERNEL32(00000000,?,?,00344EDD,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344EC0

Strings

kernel32.dll, xrefs: 00344E94
Wow64DisableWow64FsRedirection, xrefs: 00344EA8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: c75719e2882971a307ad11e9b9fa64405ae54d6aa44927a1fc9728cbc027faa0
Instruction ID: c9089dcc342479f80d427a8c5c3bd7efab8167f3391f02241840ea88d9d42e1c
Opcode Fuzzy Hash: c75719e2882971a307ad11e9b9fa64405ae54d6aa44927a1fc9728cbc027faa0
Instruction Fuzzy Hash: 86E08636A235339BD2231B257C1CB5BA69CAF81B62B060127FC01E6250DF64DD41C0A0

Function 00344E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00383CDE,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00344E74
FreeLibrary.KERNEL32(00000000,?,?,00383CDE,?,00411418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00344E87

Strings

kernel32.dll, xrefs: 00344E5B
Wow64RevertWow64FsRedirection, xrefs: 00344E6E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 74c3d586680a73727ee7c5891ca0fcc124e427cb232f3dfaf7c4d96369ce1e7d
Instruction ID: d9923990952d8f0d0a3cdf9dbdaff688784babdbf909362a69c7acdca28fff6b
Opcode Fuzzy Hash: 74c3d586680a73727ee7c5891ca0fcc124e427cb232f3dfaf7c4d96369ce1e7d
Instruction Fuzzy Hash: 3AD0C232533633678A231B247C08F8BAB5CAF81B113060233F801E7150CF20CD41C1D0

Function 003B2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003B2C05
DeleteFileW.KERNEL32(?), ref: 003B2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003B2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003B2CC0

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 14875ca51a7b7ed22c51e3dba5b4177289763c14d54ed4a25a73ee16dbb50b0b
Instruction ID: 244ad641ea1d72ea73a836e6fc0f1a5167e96e124f91ae961031bfc9af8fe904
Opcode Fuzzy Hash: 14875ca51a7b7ed22c51e3dba5b4177289763c14d54ed4a25a73ee16dbb50b0b
Instruction Fuzzy Hash: D7B16F72D00119ABDF12DBA4CC85EDFBBBDEF49344F1041A6F609EA155EB309A448F61

Function 003CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 003CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 003CA468
CloseHandle.KERNEL32(?), ref: 003CA63D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 34ce0713c5d0bada031cfc54cc0c21e3ed3245bebb7da7caffc006b845fd996e
Instruction ID: 3bc4c66edd1ec9d56738994ded4b070b29edcddf142bd679d7a50596ac95f1fb
Opcode Fuzzy Hash: 34ce0713c5d0bada031cfc54cc0c21e3ed3245bebb7da7caffc006b845fd996e
Instruction Fuzzy Hash: 06A1ACB16047009FD721DF24C886F2AB7E5AB84714F14885DF99ADF392DBB1EC058B82

Function 0037BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,003E3700), ref: 0037BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0041121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0037BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00411270,000000FF,?,0000003F,00000000,?), ref: 0037BC36
_free.LIBCMT ref: 0037BB7F

Part of subcall function 003729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000), ref: 003729DE
Part of subcall function 003729C8: GetLastError.KERNEL32(00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000,00000000), ref: 003729F0

_free.LIBCMT ref: 0037BD4B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: c20bb6d0409a3f3f1861a7e87f52b254072b3deace544dc86576bda328d44b38
Instruction ID: 8aba649714746663a291cdd93cff6c8ed6a583206615aeb23f04834312d6e37f
Opcode Fuzzy Hash: c20bb6d0409a3f3f1861a7e87f52b254072b3deace544dc86576bda328d44b38
Instruction Fuzzy Hash: 0F51E971900209DFDB32DF659C81AAAF7BCEF41310F11C2AAE558E71A1DB789D41CB54

Function 003AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003ACF22,?), ref: 003ADDFD

Part of subcall function 003ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003ACF22,?), ref: 003ADE16

Part of subcall function 003AE199: GetFileAttributesW.KERNEL32(?,003ACF95), ref: 003AE19A

lstrcmpiW.KERNEL32(?,?), ref: 003AE473
MoveFileW.KERNEL32(?,?), ref: 003AE4AC
_wcslen.LIBCMT ref: 003AE5EB
_wcslen.LIBCMT ref: 003AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 003AE650

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 33d367a8e98e63224c48abb03a0ef96c22431db32daed2f2ac11814aca321b45
Instruction ID: 052bfeec8c07b91952901cdf9b693cb067fa384383a90f04a2c477073c172175
Opcode Fuzzy Hash: 33d367a8e98e63224c48abb03a0ef96c22431db32daed2f2ac11814aca321b45
Instruction Fuzzy Hash: EC5153B24083455BC726DB94DC81ADBB3ECEF95340F00492EF589D7151EF74A6888766

Function 003CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Part of subcall function 003CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003CB6AE,?,?), ref: 003CC9B5
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CC9F1
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CCA68
Part of subcall function 003CC998: _wcslen.LIBCMT ref: 003CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003CBB63
RegCloseKey.ADVAPI32(?,?), ref: 003CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 003CBBB3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 6b7fe306f09948ec59deafd867aa344c5f2fdb39b1ce91cc7055820662a2a0f2
Instruction ID: d1e5f4008f6f5f75358dd98994d11e1fdf91b4a8c4c65a68267243b804f2957e
Opcode Fuzzy Hash: 6b7fe306f09948ec59deafd867aa344c5f2fdb39b1ce91cc7055820662a2a0f2
Instruction Fuzzy Hash: 45617D31218241AFD716DF14C491F2ABBE9FF84308F15859DF4998B2A2DB31ED45CB92

Function 003A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003A8BCD
VariantClear.OLEAUT32 ref: 003A8C3E
VariantClear.OLEAUT32 ref: 003A8C9D
VariantClear.OLEAUT32(?), ref: 003A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003A8D3B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: e8810ca52a883aa645fa508903f7040e828dd7292cbf13d7f94e0d7d848d30fe
Instruction ID: c642d6c8df08647f91636ac3bc453c9dbd3a61272b9cabf5813828cadb2257ac
Opcode Fuzzy Hash: e8810ca52a883aa645fa508903f7040e828dd7292cbf13d7f94e0d7d848d30fe
Instruction Fuzzy Hash: 1D5189B1A1021AEFCB15CF28C884AAAB7F8FF89310F118559E905DB350E730E911CF90

Function 003B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 003B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003B8C5F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: d51beefb464b815d1ce0799891a3630261f32dfc1283560621b0f46f6daf91d5
Instruction ID: 871aef33969ba5028427880474fe9c7bd9924de20112f325edc27def20e954b4
Opcode Fuzzy Hash: d51beefb464b815d1ce0799891a3630261f32dfc1283560621b0f46f6daf91d5
Instruction Fuzzy Hash: B0513875A002159FCB02DF64C881AAABBF5FF49314F088499E949AF362CB35FD41CB90

Function 003C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 003C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 003C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 003C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 003C9032
FreeLibrary.KERNEL32(00000000), ref: 003C9052

Part of subcall function 0035F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,003B1043,?,75C0E610), ref: 0035F6E6
Part of subcall function 0035F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0039FA64,00000000,00000000,?,?,003B1043,?,75C0E610,?,0039FA64), ref: 0035F70D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 084f3f4fa330e1e07248d5f09e51757ae90e93f9d4e4ca231e83e2de5e753be6
Instruction ID: 823b57c082ade9a50bdf15298143962558160e0b42892748fff06d591e8f819b
Opcode Fuzzy Hash: 084f3f4fa330e1e07248d5f09e51757ae90e93f9d4e4ca231e83e2de5e753be6
Instruction Fuzzy Hash: 575106356052159FCB12DF58C484EA9BBF1FF49314B0580A9E80A9F762DB31EE86CB90

Function 003D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 003D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 003D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 003D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,003BAB79,00000000,00000000), ref: 003D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 003D6CC7

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 964c04a31c3b73da4d696087430595f68c68d4ef17a8c18cc3f48e2f55e95cee
Instruction ID: ea6a25d6c7b9c6eff27dc3dfcb828bff6735194c26f892e75b8bbe3693d346a4
Opcode Fuzzy Hash: 964c04a31c3b73da4d696087430595f68c68d4ef17a8c18cc3f48e2f55e95cee
Instruction Fuzzy Hash: E5411B76620104AFD726CF28EC56FB97BA9EB09350F16022AFD65A73E0C371ED50CA40

Function 00372051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003720C3
_free.LIBCMT ref: 003720E3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b53a8cfc64f6dbadcb8e0132192248e3adde4c3f2463174b157fbe3f5c859833
Instruction ID: ffb19e77f6c972824176164c6670aa8cbd6944a5e638c828970b43028600cec5
Opcode Fuzzy Hash: b53a8cfc64f6dbadcb8e0132192248e3adde4c3f2463174b157fbe3f5c859833
Instruction Fuzzy Hash: 1541D432A002009FCB35DF78C981A5EB7F5EF89314F568568EA19EB351D735AD01CB90

Function 0035912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00359141
ScreenToClient.USER32(00000000,?), ref: 0035915E
GetAsyncKeyState.USER32(00000001), ref: 00359183
GetAsyncKeyState.USER32(00000002), ref: 0035919D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6e224512655a785aca29200deb86b15512ccbfaf6fd2b620c4d2a0e7f998acb2
Instruction ID: 0a20e314c62b6e0da46b26fad7b442d6773573c5b8aa83ff108c29412262e04c
Opcode Fuzzy Hash: 6e224512655a785aca29200deb86b15512ccbfaf6fd2b620c4d2a0e7f998acb2
Instruction Fuzzy Hash: EA417F71A1861BFBDF169F64D844BEEB774FB05321F218216E825A72E0C7306E54CB91

Function 003B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 003B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 003B3922
TranslateMessage.USER32(?), ref: 003B394B
DispatchMessageW.USER32(?), ref: 003B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B3966

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 7e1bda5f05f02abf34a603c348887dad2b429321db245555a11fc8fd0ce24c64
Instruction ID: 181e520b6dc1fe17860834c948f3f835bee3584293798a6e89e42468770fb4bf
Opcode Fuzzy Hash: 7e1bda5f05f02abf34a603c348887dad2b429321db245555a11fc8fd0ce24c64
Instruction Fuzzy Hash: DE31B770914366AEEB37CB359848BF637A8EB05308F05456DE662C29B0E7F4A685CB11

Function 003BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,003BC21E,00000000), ref: 003BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 003BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,003BC21E,00000000), ref: 003BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,003BC21E,00000000), ref: 003BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,003BC21E,00000000), ref: 003BCFF2

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: f277af28f616d5be9a45c48588b7da7927939f9e8f0105508b5488cf156e63c3
Instruction ID: 2efe82b2deffca89ef12fe3622e3fff390ac11a393a5e06f306c4b69716af7f9
Opcode Fuzzy Hash: f277af28f616d5be9a45c48588b7da7927939f9e8f0105508b5488cf156e63c3
Instruction Fuzzy Hash: DD317F71620206AFDB32DFA5D8849BBBBFDEB04319B10546EF606D6911D730ED40DB60

Function 003A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 003A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 003A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 003A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 003A19E2

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: e1feb6d9f60e02cbe592fbeb2236fee61126c5a8b3071f37586afb767622aaaa
Instruction ID: 16b4be065bfdcdbb51c5bf31b85ce780d0ac202ed00218b41056775402650218
Opcode Fuzzy Hash: e1feb6d9f60e02cbe592fbeb2236fee61126c5a8b3071f37586afb767622aaaa
Instruction Fuzzy Hash: 4831C072A10219EFCB01CFA8DD99ADF7BB9EB05315F104229F921AB2D1C7709944CB90

Function 003D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 003D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 003D579D
_wcslen.LIBCMT ref: 003D57AF
_wcslen.LIBCMT ref: 003D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 003D5816

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: fd5490411688f97d25f81fac7b87c68767adc3521442d6428ba40f25b142747c
Instruction ID: fd0ff94b2a3e426ce0d096311b812a0bf16b789f56de1a63a419039e85f57fd3
Opcode Fuzzy Hash: fd5490411688f97d25f81fac7b87c68767adc3521442d6428ba40f25b142747c
Instruction Fuzzy Hash: AF218572904618DADB229F65EC85AEEB7BCFF04724F108217E929EA280D7708985CF51

Function 003C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003C0951
GetForegroundWindow.USER32 ref: 003C0968
GetDC.USER32(00000000), ref: 003C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 003C09B0
ReleaseDC.USER32(00000000,00000003), ref: 003C09E8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 915ce84f33d2b6b763d95abffa561e00a57edb40a6a97809be5e7d7b0c7b9310
Instruction ID: 60054b874b6c6780a630244d83aa190e72b27a4776ee4b85013c37069250a0ab
Opcode Fuzzy Hash: 915ce84f33d2b6b763d95abffa561e00a57edb40a6a97809be5e7d7b0c7b9310
Instruction Fuzzy Hash: 69216D35A11214AFD705EF69D884AAEBBF9EF48700F04806DE84ADB762CB30EC04CB50

Function 0037CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0037CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0037CDE9

Part of subcall function 00373820: RtlAllocateHeap.NTDLL(00000000,?,00411444,?,0035FDF5,?,?,0034A976,00000010,00411440,003413FC,?,003413C6,?,00341129), ref: 00373852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0037CE0F
_free.LIBCMT ref: 0037CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0037CE31

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 67d09e84959f00226970bdb8111a17b6c1744a0ca1b4a149b384ed7bd2871d83
Instruction ID: f29744f154021542fcdb9da1f8b631b0c8cf68a2d723ce0f351427088e73752b
Opcode Fuzzy Hash: 67d09e84959f00226970bdb8111a17b6c1744a0ca1b4a149b384ed7bd2871d83
Instruction Fuzzy Hash: C00128726226113F673316B66C48C3B6A6CEFC7BA2315912EF908C7500DA288D01C1B0

Function 00359639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00359693
SelectObject.GDI32(?,00000000), ref: 003596A2
BeginPath.GDI32(?), ref: 003596B9
SelectObject.GDI32(?,00000000), ref: 003596E2

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 7da836792fa8e91c508f1fef944a941041a8776f3d35b574ba95dfa7b7ac9dfb
Instruction ID: 0e582a41aa1bc799a89d7c8194391772b88deb8b25df5c10a7344294aeb808e8
Opcode Fuzzy Hash: 7da836792fa8e91c508f1fef944a941041a8776f3d35b574ba95dfa7b7ac9dfb
Instruction Fuzzy Hash: FB21AAB0822306DFDB129F14EC15BE97B79BB00326F118227F920961F0D3749859CF98

Function 003A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 003A5726
_memcmp.LIBVCRUNTIME ref: 003A5744
_memcmp.LIBVCRUNTIME ref: 003A5757
_memcmp.LIBVCRUNTIME ref: 003A576F
_memcmp.LIBVCRUNTIME ref: 003A5787

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 912abbd370e8362ff841575d0eab15afcf96be0a40850f3bea8f060ca524058f
Instruction ID: a8bb463a3b7bbaf0d3c4c04af96ce478c01fd663037a453c348691be9cc1da61
Opcode Fuzzy Hash: 912abbd370e8362ff841575d0eab15afcf96be0a40850f3bea8f060ca524058f
Instruction Fuzzy Hash: EC0196A6641A15BED21A56109D82EFA635CDB223A4B148421FD16AF741F762ED1082A0

Function 00372DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0036F2DE,00373863,00411444,?,0035FDF5,?,?,0034A976,00000010,00411440,003413FC,?,003413C6), ref: 00372DFD
_free.LIBCMT ref: 00372E32
_free.LIBCMT ref: 00372E59
SetLastError.KERNEL32(00000000,00341129), ref: 00372E66
SetLastError.KERNEL32(00000000,00341129), ref: 00372E6F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 18bac245782dc18d2e3455e659e57cf1a0a3563955e28596311a28d16677818e
Instruction ID: 162e19351e293832f00eb6afb50ce9a2e480fb15d9cee70806a4dec96f4ff3cb
Opcode Fuzzy Hash: 18bac245782dc18d2e3455e659e57cf1a0a3563955e28596311a28d16677818e
Instruction Fuzzy Hash: 4D01283664560177C73327347C85E2B265DABC63B1F26C529F82DA6AD3EF7C8C418420

Function 003A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0039FF41,80070057,?,?,?,003A035E), ref: 003A002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0039FF41,80070057,?,?), ref: 003A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0039FF41,80070057,?,?), ref: 003A0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0039FF41,80070057,?), ref: 003A0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0039FF41,80070057,?,?), ref: 003A0070

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 25b1e54a7d46763ae8b545b844843cde855d7d6afeca7bdfaa266df5c4fc95d8
Instruction ID: 90317e5a62cc6bb6212c69bb9f08e7546f8d13427e893557e718bcacf362d6fc
Opcode Fuzzy Hash: 25b1e54a7d46763ae8b545b844843cde855d7d6afeca7bdfaa266df5c4fc95d8
Instruction Fuzzy Hash: BA01DB72621205BFDB168F68EC04FAA7BAEEB49392F104125F905D2210E774CD00DBA0

Function 003AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 003AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 003AE9A5
Sleep.KERNEL32(00000000), ref: 003AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 003AE9B7
Sleep.KERNEL32 ref: 003AE9F3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: d89342ee99e18af9bf9620b738b52478bc15c93ffef2242cd581c38f3b7da4ac
Instruction ID: ad042039c8d567658c23447a5527800d822bd01b772f34a40e5cdfdbf22d31df
Opcode Fuzzy Hash: d89342ee99e18af9bf9620b738b52478bc15c93ffef2242cd581c38f3b7da4ac
Instruction Fuzzy Hash: 3F012D31C1162ADBCF02AFE5EC59AEEBB7CFF0A701F01055AE502B2141CB389555C761

Function 003A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,003A0B9B,?,?,?), ref: 003A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,003A0B9B,?,?,?), ref: 003A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,003A0B9B,?,?,?), ref: 003A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003A114D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 00bf7259f47eb065323ae98ceedbebe7c1a0581e2a18df4557ae1fd4e962250e
Instruction ID: 91f4972fb37aa93431a65efe0c88789d1ecc9c12ffe183106b0cf49d761af514
Opcode Fuzzy Hash: 00bf7259f47eb065323ae98ceedbebe7c1a0581e2a18df4557ae1fd4e962250e
Instruction Fuzzy Hash: D3016D75111216BFDB124F64EC49A6A3B6EEF86364F110415FA41C3350DA31DC00DA60

Function 003A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003A1002

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 3f525efd0ed4cc719a70810f5ae7814d45d2579b1e50fbe83c45ab2ecf0e3fef
Instruction ID: fd4162ac161138e2c5c6e03bf2c3aab7344e316c020231907ee6c3bb5c73188c
Opcode Fuzzy Hash: 3f525efd0ed4cc719a70810f5ae7814d45d2579b1e50fbe83c45ab2ecf0e3fef
Instruction Fuzzy Hash: DDF06D39261312EBDB224FA4EC4DF563BADEF8A762F154416FA45C7291CA70DC40CA60

Function 003A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003A1062

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 52483090e029549567a4b9e0688fe232e70d2708fb09036dfc1707f2ca36c4d4
Instruction ID: a6d1b031ed834ae8410d0a4bab79c4cb9f2c4cfbb6d8f1366128c0dd5355710f
Opcode Fuzzy Hash: 52483090e029549567a4b9e0688fe232e70d2708fb09036dfc1707f2ca36c4d4
Instruction Fuzzy Hash: 38F06D39261312EBDB235FA4EC49F563BADEF8A761F150416FA45C7290CA74D840CA60

Function 003B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,003B017D,?,003B32FC,?,00000001,00382592,?), ref: 003B0324
CloseHandle.KERNEL32(?,?,?,?,003B017D,?,003B32FC,?,00000001,00382592,?), ref: 003B0331
CloseHandle.KERNEL32(?,?,?,?,003B017D,?,003B32FC,?,00000001,00382592,?), ref: 003B033E
CloseHandle.KERNEL32(?,?,?,?,003B017D,?,003B32FC,?,00000001,00382592,?), ref: 003B034B
CloseHandle.KERNEL32(?,?,?,?,003B017D,?,003B32FC,?,00000001,00382592,?), ref: 003B0358
CloseHandle.KERNEL32(?,?,?,?,003B017D,?,003B32FC,?,00000001,00382592,?), ref: 003B0365

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 8f9fcbd64347be80e7b5705d367450eab5c6d183773addf9b9a910a4703745a1
Instruction ID: 9cc7f4cf4b84d2db252dc20ab471ba8db488c25c301b239d58f81c593e7a8719
Opcode Fuzzy Hash: 8f9fcbd64347be80e7b5705d367450eab5c6d183773addf9b9a910a4703745a1
Instruction Fuzzy Hash: D701E276800B058FC7329F66D880447F7F9BF503093068A3FD29A52930C370A944CF80

Function 0037D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0037D752

Part of subcall function 003729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000), ref: 003729DE
Part of subcall function 003729C8: GetLastError.KERNEL32(00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000,00000000), ref: 003729F0

_free.LIBCMT ref: 0037D764
_free.LIBCMT ref: 0037D776
_free.LIBCMT ref: 0037D788
_free.LIBCMT ref: 0037D79A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ea67faf32414772eda258d9a93ab332dbf3b20d7c062e8e0dd8e50b351813208
Instruction ID: b4bf36415cb4c4937b012798f36d9f073f4276abbb22999643112d55615e5c35
Opcode Fuzzy Hash: ea67faf32414772eda258d9a93ab332dbf3b20d7c062e8e0dd8e50b351813208
Instruction Fuzzy Hash: 58F03C72500244ABC636EB68FAC1C17B7EDBF46311B998815F14CEB502C738FC808668

Function 003A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 003A5C6F
MessageBeep.USER32(00000000), ref: 003A5C87
KillTimer.USER32(?,0000040A), ref: 003A5CA3
EndDialog.USER32(?,00000001), ref: 003A5CBD

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: daa71934af09e624b00113477c2f174add6b65576df052e563926e7a6b1a1ab1
Instruction ID: db99d0dfeaf63a4ec8abb563a1cf4f2d61f838f7da6eff884bbf2531595380b9
Opcode Fuzzy Hash: daa71934af09e624b00113477c2f174add6b65576df052e563926e7a6b1a1ab1
Instruction Fuzzy Hash: C2018630511B05ABEB225B10ED4EFA677BCFB01B05F04165AA583A14E1DBF4A988CA90

Function 003722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003722BE

Part of subcall function 003729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000), ref: 003729DE
Part of subcall function 003729C8: GetLastError.KERNEL32(00000000,?,0037D7D1,00000000,00000000,00000000,00000000,?,0037D7F8,00000000,00000007,00000000,?,0037DBF5,00000000,00000000), ref: 003729F0

_free.LIBCMT ref: 003722D0
_free.LIBCMT ref: 003722E3
_free.LIBCMT ref: 003722F4
_free.LIBCMT ref: 00372305

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1283788ad74bc8da5ff266be15f6479ce721d6ecfd4f3e8ee5edf08c6346c64c
Instruction ID: 794527137c4e5a5d7d56c4b330976f47797cf0ee2378cf50f6e6f25f4469b730
Opcode Fuzzy Hash: 1283788ad74bc8da5ff266be15f6479ce721d6ecfd4f3e8ee5edf08c6346c64c
Instruction Fuzzy Hash: ADF03071501110CBC723BF64BC4288A7BA4B71A751B06CA66F518E62B1C7B904A29BAC

Function 003595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003595D4
StrokeAndFillPath.GDI32(?,?,003971F7,00000000,?,?,?), ref: 003595F0
SelectObject.GDI32(?,00000000), ref: 00359603
DeleteObject.GDI32 ref: 00359616
StrokePath.GDI32(?), ref: 00359631

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 59311219117bd3d32a12b48982693c9eca85e98f6c9ef09fb2858cc48b65c51a
Instruction ID: e19885ae9f8d6db7cb64567ea1002277cecc9005c6b783a9c234c3ece3a96e8f
Opcode Fuzzy Hash: 59311219117bd3d32a12b48982693c9eca85e98f6c9ef09fb2858cc48b65c51a
Instruction Fuzzy Hash: 93F03CB0026205EBDB135F65ED1CBA43B69AB01332F04C226FA25590F0C73489A9DF28

Function 00370F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 003710F9
__freea.LIBCMT ref: 00371117

Part of subcall function 00371537: _free.LIBCMT ref: 0037154F

Strings

am/pm, xrefs: 0037117A
a/p, xrefs: 003711DE

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 9ffa97f2f9b6bd700a8210d077d589a18f1653c826df94b6eb069d2878767104
Instruction ID: 0c42ed0efd590111901dfd100248df605beb1db63dea17e9b7e31bc2c0c0327c
Opcode Fuzzy Hash: 9ffa97f2f9b6bd700a8210d077d589a18f1653c826df94b6eb069d2878767104
Instruction Fuzzy Hash: C1D1F237910205CAEB3A9F6CC8957BAB7B4EF05700F298159E909ABA51D33D9D80CB51

Function 003C61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00360242: EnterCriticalSection.KERNEL32(0041070C,00411884,?,?,0035198B,00412518,?,?,?,003412F9,00000000), ref: 0036024D
Part of subcall function 00360242: LeaveCriticalSection.KERNEL32(0041070C,?,0035198B,00412518,?,?,?,003412F9,00000000), ref: 0036028A

Part of subcall function 003600A3: __onexit.LIBCMT ref: 003600A9

__Init_thread_footer.LIBCMT ref: 003C6238

Part of subcall function 003601F8: EnterCriticalSection.KERNEL32(0041070C,?,?,00358747,00412514), ref: 00360202
Part of subcall function 003601F8: LeaveCriticalSection.KERNEL32(0041070C,?,00358747,00412514), ref: 00360235

Part of subcall function 003B359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 003B35E4
Part of subcall function 003B359C: LoadStringW.USER32(00412390,?,00000FFF,?), ref: 003B360A

Strings

x#A, xrefs: 003C633A
x#A, xrefs: 003C6353
x#A, xrefs: 003C636F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#A$x#A$x#A
API String ID: 1072379062-3459604138
Opcode ID: cff1a3c7be1e37e5d333b01fe3ffd0bc0cb9caf342d30c8ba26b0e82cd481fe4
Instruction ID: c0b8afd901b486bafbbf2628ac01d4f292cf261cbe6a9b1d53f2ce7f59c77a43
Opcode Fuzzy Hash: cff1a3c7be1e37e5d333b01fe3ffd0bc0cb9caf342d30c8ba26b0e82cd481fe4
Instruction Fuzzy Hash: C4C15B71A00109AFCB16DF58C892EBEB7B9EF49300F15846EE915DB291DB70ED45CB90

Function 00375AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JO4, xrefs: 00375BA8, 00375C6C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: JO4
API String ID: 0-3558438523
Opcode ID: 48df31203667a2d95f76b97e7801f3c844a096388e647cee2a968612b7556b4c
Instruction ID: acf4aa6b9424a02c3497e4fbe3b0c5a3959435d7e1db0af92f6b5ffd7f61fc77
Opcode Fuzzy Hash: 48df31203667a2d95f76b97e7801f3c844a096388e647cee2a968612b7556b4c
Instruction Fuzzy Hash: C651B075D0060A9FCB3B9FA4D885FBE7BB8AF05310F158059F409AB291D7B99901CB61

Function 00378A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00378B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00378B7A
__dosmaperr.LIBCMT ref: 00378B81

Strings

.6, xrefs: 00378A63

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .6
API String ID: 2434981716-1713163095
Opcode ID: a0cb59738e8578db40ae76cf056139c1a95d2962ea2bcd3e4b9bc51e93fd3a74
Instruction ID: 4a02ee4651363cc2a4df871bd0ae0190684e97274b689e1aa8ec03f47785e3de
Opcode Fuzzy Hash: a0cb59738e8578db40ae76cf056139c1a95d2962ea2bcd3e4b9bc51e93fd3a74
Instruction Fuzzy Hash: D0418E70604045AFD7369F28C889AB97FA5DF45304F29C5A9F48D8B542DE398C02D794

Function 003A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003A21D0,?,?,00000034,00000800,?,00000034), ref: 003AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003A2760

Part of subcall function 003AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 003AB3F8

Part of subcall function 003AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 003AB355
Part of subcall function 003AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003A2194,00000034,?,?,00001004,00000000,00000000), ref: 003AB365
Part of subcall function 003AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003A2194,00000034,?,?,00001004,00000000,00000000), ref: 003AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003A281A

Strings

@, xrefs: 003A2832

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 2beb0ca2931ffefc7622486289eba1339e0d19b7c88b286564a4ef7dafce080e
Instruction ID: 0a5f1cd94466b6810caf88b8b74827c8acdf64f161932734c915d20148bcb3a3
Opcode Fuzzy Hash: 2beb0ca2931ffefc7622486289eba1339e0d19b7c88b286564a4ef7dafce080e
Instruction Fuzzy Hash: 54412C76900218AFDB11DFA8CD45AEEBBB8EF0A700F104095FA55BB181DB716F45CBA1

Function 0037172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00371769
_free.LIBCMT ref: 00371834
_free.LIBCMT ref: 0037183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00371760, 00371767, 00371796, 003717CE

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: 87b855728bb0a8c451b72bffca6664b2bddc9777015c6e193490262e1a563aba
Instruction ID: a30bc27c99de22bf5d7702f1828c8064068e1c40f4c85d83e3156ea983d5128b
Opcode Fuzzy Hash: 87b855728bb0a8c451b72bffca6664b2bddc9777015c6e193490262e1a563aba
Instruction Fuzzy Hash: 13318376A00258BFDB36DF99D881D9EBBFCEB85310B1581A6E90897211D7748A40CB91

Function 003AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 003AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00411990,016348B0), ref: 003AC395

Strings

0, xrefs: 003AC2DF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: e02546e098bbda95026df6e16ef9af1cf3f9ee7febb3648948848c6a9fad6b77
Instruction ID: c1a0467dc79609d049057ee99590feb8c6dbed3382724c67cb77225bb798c3bd
Opcode Fuzzy Hash: e02546e098bbda95026df6e16ef9af1cf3f9ee7febb3648948848c6a9fad6b77
Instruction Fuzzy Hash: 1041D2352183019FDB22DF25D844B1ABBE8EF86310F009A1EF9A59B2D1C734EC04CB52

Function 003D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003DCC08,00000000,?,?,?,?), ref: 003D44AA
GetWindowLongW.USER32 ref: 003D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003D44D7

Strings

SysTreeView32, xrefs: 003D447C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d0a7a00c43b186eb4db7c5bbd862d8656af83cb71a2dbdbc01744a53b9b16d51
Instruction ID: 7898cc8c442665a2c980d89f5062336880560a02b8ac931d127a9b8fd65c5786
Opcode Fuzzy Hash: d0a7a00c43b186eb4db7c5bbd862d8656af83cb71a2dbdbc01744a53b9b16d51
Instruction Fuzzy Hash: CB318F32210605AFDB229F38EC45BDA77A9EB09334F214716F975972E0D770EC909750

Function 003A6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 003A6EED
VariantCopyInd.OLEAUT32(?,?), ref: 003A6F08
VariantClear.OLEAUT32(?), ref: 003A6F12

Strings

*j:, xrefs: 003A6E8B, 003A6E90, 003A6EF8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j:
API String ID: 2173805711-2474983611
Opcode ID: 72a10098ced5874aa63be6511b78366ac0657188c4f1c69c24a99f5cb09dc37d
Instruction ID: 117f016b4cbe98b5c1ed7f4b3b70b5539bece2839f2022dcb541909b04e2dd94
Opcode Fuzzy Hash: 72a10098ced5874aa63be6511b78366ac0657188c4f1c69c24a99f5cb09dc37d
Instruction Fuzzy Hash: 9B314171604255DFCB07AFA4E8529BE77BAEF86304B141499F9024F2A1C734E922DBD1

Function 003C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,003C3077,?,?), ref: 003C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 003C307A
_wcslen.LIBCMT ref: 003C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 003C3106

Strings

255.255.255.255, xrefs: 003C3095, 003C309A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 57841071828c5f05147a1ca9ed005e0c8b4a4406552087c5f63d813a0f4a6964
Instruction ID: 00c0485ffbeee0a4d5a5c3faee94ee7d8a135ca3e3e5d1c66ffdfdd70fd41241
Opcode Fuzzy Hash: 57841071828c5f05147a1ca9ed005e0c8b4a4406552087c5f63d813a0f4a6964
Instruction Fuzzy Hash: E431AE3A6042019FCB12DF28C885FAA77E4AF14318F29C059E916CB792DB32EE45C761

Function 003D3EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003D3F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003D3F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 003D3F78

Strings

SysMonthCal32, xrefs: 003D3F0B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 5f2fd613e185841ba4c88e3fd6ea2bf6783fb5cbf9b2936d03897f42533614b1
Instruction ID: 8e27fbbfab26acef2e20b25796bbc60abc213924cea4f5202c870db14819d63c
Opcode Fuzzy Hash: 5f2fd613e185841ba4c88e3fd6ea2bf6783fb5cbf9b2936d03897f42533614b1
Instruction Fuzzy Hash: 16218B33610219BFDF229F50EC46FEA3B79EB48714F110215FA15AB2D0D6B5AD50CBA0

Function 003D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003D471A

Strings

msctls_updown32, xrefs: 003D4684

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 25f12f62630241637f304df389c394fccb64627279f33688bffbb9e6e7661ae9
Instruction ID: 636db024ec7a8e8e10469b0dd3ebc876621f8dcf63f478fae77c41f66f18da75
Opcode Fuzzy Hash: 25f12f62630241637f304df389c394fccb64627279f33688bffbb9e6e7661ae9
Instruction Fuzzy Hash: 7D2132B5614205AFDB12DF64ECC1DB737ADEB5A394B15005AF6109B361CB71EC11CB60

Function 003A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003A961D

Strings

#OnAutoItStartRegister, xrefs: 003A95F3
#notrayicon, xrefs: 003A95B7
#requireadmin, xrefs: 003A95D9

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: e9cb9f597c42450ef1ae75cc39d83917b83f597f614d1e8e97edbe321d09aed2
Instruction ID: 3e0842e21999ec48e0caf0be7ac9a47623520c1a6001815a432c56c6177798ab
Opcode Fuzzy Hash: e9cb9f597c42450ef1ae75cc39d83917b83f597f614d1e8e97edbe321d09aed2
Instruction Fuzzy Hash: 232157326046106AD333AB249C43FBB73DCDF97320F118427F94AAF191EB55AD55C295

Function 003D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003D3876

Strings

Listbox, xrefs: 003D380F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 197b7fe3ad18bdd8e323271ba469387cc90d489cdd57339e679cfe72816868d7
Instruction ID: f8ae3d1b35b6c05a497c1cf48f83c2fb14b9006dc7876d457b8bd1454c62e989
Opcode Fuzzy Hash: 197b7fe3ad18bdd8e323271ba469387cc90d489cdd57339e679cfe72816868d7
Instruction Fuzzy Hash: 6221F273610118BBEF128F54EC41FBB376EEF89750F118126F9009B290C671EC1187A0

Function 003B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003B4A5C
SetErrorMode.KERNEL32(00000000,?,?,003DCC08), ref: 003B4AD0

Strings

%lu, xrefs: 003B4A6F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 809b196fbb78209f330c8b48a097b292465bb0f7144f84461e4bea10de30941f
Instruction ID: d1646e5bf26df4e52e89e12b778f813c7f448fbbb1dec94a9f03c80fbd03af47
Opcode Fuzzy Hash: 809b196fbb78209f330c8b48a097b292465bb0f7144f84461e4bea10de30941f
Instruction Fuzzy Hash: 1A315E71A00219AFDB12DF54C885EAA7BF8EF08308F1480A5F909DF262D771ED46CB61

Function 003D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003D4271

Strings

msctls_trackbar32, xrefs: 003D4226

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 204831913ed0ca11551dde66f2009fbad35cc1bfdd6879b92d435b12a7385b80
Instruction ID: 6ed80a11fa028c1e7d308cc12be66a6c46d2360a3800b8c6a981e1fff5ea2b99
Opcode Fuzzy Hash: 204831913ed0ca11551dde66f2009fbad35cc1bfdd6879b92d435b12a7385b80
Instruction Fuzzy Hash: 16110632250208BFEF225F38DC06FAB7BACEF95B54F120525FA55E61A0D671DC119B14

Function 003A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00346B57: _wcslen.LIBCMT ref: 00346B6A

Part of subcall function 003A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003A2DC5
Part of subcall function 003A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 003A2DD6
Part of subcall function 003A2DA7: GetCurrentThreadId.KERNEL32 ref: 003A2DDD
Part of subcall function 003A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003A2DE4

GetFocus.USER32 ref: 003A2F78

Part of subcall function 003A2DEE: GetParent.USER32(00000000), ref: 003A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 003A2FC3
EnumChildWindows.USER32(?,003A303B), ref: 003A2FEB

Strings

%s%d, xrefs: 003A2FFF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: effc95dfe6450bc6d60f3ea33d1116c7f7c7e7f5e13ce8fddb90f8d66644d32f
Instruction ID: f0286dce4c12a8d3d3a2adb8421840feccdbc9a0ce80c8a986c937bfe5203f1b
Opcode Fuzzy Hash: effc95dfe6450bc6d60f3ea33d1116c7f7c7e7f5e13ce8fddb90f8d66644d32f
Instruction Fuzzy Hash: 0611E171200205ABCF56BF749C96EEE37AAEF86304F044076FD099F292DE309909CB60

Function 003D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 003D58EE
DrawMenuBar.USER32(?), ref: 003D58FD

Strings

0, xrefs: 003D588F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 46aed868fb19b31fe348f44f4ab9a086fcf034f7692c47bd275e7c863d96c04d
Instruction ID: eb652204661c1742d10819df8e9299439281deccda6e405c50815ddc8c88c210
Opcode Fuzzy Hash: 46aed868fb19b31fe348f44f4ab9a086fcf034f7692c47bd275e7c863d96c04d
Instruction Fuzzy Hash: 92018432510218EFDB129F15FC45FAEBBB9FF45361F10809AE849DA261DB308A94DF21

Function 0039D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0039D3BF
FreeLibrary.KERNEL32 ref: 0039D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0039D3B9
X64, xrefs: 0039D2A8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 11473a8f5c1505e86372c32784db55893abb5d7633343d12d74c9cdf443b4aab
Instruction ID: caf694daa01c8f9f7be4d7656075e6dfce9df45eecee67b5d8c3e27b4764e40c
Opcode Fuzzy Hash: 11473a8f5c1505e86372c32784db55893abb5d7633343d12d74c9cdf443b4aab
Instruction Fuzzy Hash: 84F05579011B128AEF3B27108C8A969331CBF10302FA68A1BE453E24A4CB20CC81CA42

Function 003A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ebcb35bdc67f08fd8314d6cc538d3d8effcda27898ab28b9eb0f7651b3be8fc
Instruction ID: 99cd0ec36ee998850831ddeda34cb2eddaeeab49f93a655f486a55b4be2b0ccb
Opcode Fuzzy Hash: 6ebcb35bdc67f08fd8314d6cc538d3d8effcda27898ab28b9eb0f7651b3be8fc
Instruction Fuzzy Hash: 06C14C75A0020AEFDB19CFA4C898BAEB7B5FF49704F118598E505EB291D731ED41CB90

Function 003C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003C3459
CoUninitialize.OLE32 ref: 003C3463
VariantInit.OLEAUT32(?), ref: 003C346E
VariantClear.OLEAUT32(?), ref: 003C371B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: ed758129a53659f9e34c1bf1bdb525123541176a5fa8e7b34566384f11e220ad
Instruction ID: cf84c6a7356074ba1e47a896fe5cf46605967f17a0e745f7a784e62dbe0450fa
Opcode Fuzzy Hash: ed758129a53659f9e34c1bf1bdb525123541176a5fa8e7b34566384f11e220ad
Instruction Fuzzy Hash: AAA1F3756042109FC712DF28C485E2AB7E9EF89714F05889DF98A9F362DB31EE05CB91

Function 003A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003DFC08,?), ref: 003A05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003DFC08,?), ref: 003A0608
CLSIDFromProgID.OLE32(?,?,00000000,003DCC40,000000FF,?,00000000,00000800,00000000,?,003DFC08,?), ref: 003A062D
_memcmp.LIBVCRUNTIME ref: 003A064E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 77db0b50434f7e01a8d8d7572cf7cd6df75086e09025dde22c2398a3a66b0bc8
Instruction ID: fe7fcc926c1b74d09d14c400f9d4a29bbc5757542168e5f2ca79a110d4d2ef9b
Opcode Fuzzy Hash: 77db0b50434f7e01a8d8d7572cf7cd6df75086e09025dde22c2398a3a66b0bc8
Instruction Fuzzy Hash: 85812C75A00109EFCB05DFA4C984EEEB7B9FF8A315F204559E506AB250DB71AE06CF60

Function 003CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 003CA6BA

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Process32NextW.KERNEL32(00000000,?), ref: 003CA79C
CloseHandle.KERNEL32(00000000), ref: 003CA7AB

Part of subcall function 0035CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00383303,?), ref: 0035CE8A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: cb6f8365769a1c7af3496d274e261afbe609a36ce0fbc74c26184d5d6dc3f458
Instruction ID: ce4c1bebc4ca41d28f62bf7ab6259200c7013803265659df3da50806088d4677
Opcode Fuzzy Hash: cb6f8365769a1c7af3496d274e261afbe609a36ce0fbc74c26184d5d6dc3f458
Instruction Fuzzy Hash: 5E514A71508311AFD311EF24D886E6BBBE8FF89754F00491DF9859B262EB30E904CB92

Function 00381391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 003814C0

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d20c41ad9c20bb28d1dcce7980b128f73792085c3bb993be70f057fffc9b9fa7
Instruction ID: 015de7ba486c61efa2a7139eaedff4cfb09ddb7c0774c7394039bbcca410df8f
Opcode Fuzzy Hash: d20c41ad9c20bb28d1dcce7980b128f73792085c3bb993be70f057fffc9b9fa7
Instruction Fuzzy Hash: 49413B35A00300ABDB237BBA9C45ABE3BBCEF46330F1586A5F419DB192E67449425761

Function 003D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003D62E2
ScreenToClient.USER32(?,?), ref: 003D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 003D6382

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: abc55191cbd22a905c721364ab2d01de73409d5b76bae85e656cc6aa8fc75163
Instruction ID: df14f2af99d537c20b89cf5a6d29ef5e49b7584d474e4f09bd1d7ffc66f469a1
Opcode Fuzzy Hash: abc55191cbd22a905c721364ab2d01de73409d5b76bae85e656cc6aa8fc75163
Instruction Fuzzy Hash: A5513C75A00209AFCF11DF68E8819AE7BB5FF55360F11826AF9259B3A1D730ED41CB90

Function 003C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 003C1AFD
WSAGetLastError.WSOCK32 ref: 003C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003C1B8A
WSAGetLastError.WSOCK32 ref: 003C1B94

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: d2e83b407d69c8473f5ab7e823c38954da54b88fd501a040e172b31f2cd39afa
Instruction ID: 84187bd58e47817e8d2155abd28c5911fb85f6b70bb23160744c0d35556020dc
Opcode Fuzzy Hash: d2e83b407d69c8473f5ab7e823c38954da54b88fd501a040e172b31f2cd39afa
Instruction Fuzzy Hash: B8419A74600201AFE722AF24C886F3A77E5AB45718F54848CF91A9F3D3D772ED428B90

Function 0037B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921cd4c8b746f54d1dce4b681f6a7392696a8fbb746962dd96dfecf993661ec4
Instruction ID: ebf3c727537835971dce0e1523a2817615cfa56d48bdc5357cb81412869bff73
Opcode Fuzzy Hash: 921cd4c8b746f54d1dce4b681f6a7392696a8fbb746962dd96dfecf993661ec4
Instruction Fuzzy Hash: 2B41F775A00304AFD736AF79CC41B6ABBF9EB84720F10C56AF549DF682D775A9018780

Function 003B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003B5783
GetLastError.KERNEL32(?,00000000), ref: 003B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003B57FA

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: fbdbbe8659832671237e5b1f5a7034120f68d7c4b055a029ed4a70531b7a69a0
Instruction ID: 6522f73e4667524f3a616c6faa45ce6cd07c5a6e9f74f946a2953f08476e2121
Opcode Fuzzy Hash: fbdbbe8659832671237e5b1f5a7034120f68d7c4b055a029ed4a70531b7a69a0
Instruction Fuzzy Hash: 01413D39710610DFCB12DF15C545A5EBBE2EF89724B198888E94AAF362CB35FD00CB91

Function 0037D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00366D71,00000000,00000000,003682D9,?,003682D9,?,00000001,00366D71,?,00000001,003682D9,003682D9), ref: 0037D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0037D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0037D9AB
__freea.LIBCMT ref: 0037D9B4

Part of subcall function 00373820: RtlAllocateHeap.NTDLL(00000000,?,00411444,?,0035FDF5,?,?,0034A976,00000010,00411440,003413FC,?,003413C6,?,00341129), ref: 00373852

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: c939b8f613b393175007fb612d87f10227134706ee54aeba539a37c107e09d20
Instruction ID: c8d9555682277d922ae551c18d976a0f7842c4fd434ffef28edb7d1e814d53b8
Opcode Fuzzy Hash: c939b8f613b393175007fb612d87f10227134706ee54aeba539a37c107e09d20
Instruction Fuzzy Hash: 3D31A072A1021AABDB269F64DC41EAE7BB5EF41310F168269FD08DA150E739CD50CB90

Function 003D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 003D5352
GetWindowLongW.USER32(?,000000F0), ref: 003D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003D53A8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 53cc8347adf9428be59f721804d83fe26d3466714b3e2b64fee1fedc1d23b039
Instruction ID: b12bcb867474f174874c982eb0f030eeae88c84fb6a4cc5f991f19fc5bd750de
Opcode Fuzzy Hash: 53cc8347adf9428be59f721804d83fe26d3466714b3e2b64fee1fedc1d23b039
Instruction Fuzzy Hash: D031C33AA65A08EFEB379F14EC05FE8776AAB04390F594103FA10963E1C7B09E50DB41

Function 003AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 003AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 003AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 003AAC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 003AACC6

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9e8971b448ee34b631c87720bd511f676bd8ec404d4a65bf18395bdf86be1c05
Instruction ID: ad8ac8732812bd7b3de54e3e7855f3f01573e80801debc6166dffe7f487e2f18
Opcode Fuzzy Hash: 9e8971b448ee34b631c87720bd511f676bd8ec404d4a65bf18395bdf86be1c05
Instruction Fuzzy Hash: 39311872A14A186FFF278B6588087FA7BAAEB47330F04421AE481D61D1C3798981C752

Function 003D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 003D769A
GetWindowRect.USER32(?,?), ref: 003D7710
PtInRect.USER32(?,?,003D8B89), ref: 003D7720
MessageBeep.USER32(00000000), ref: 003D778C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f12339e20bfa7423e901f0a6bf0171f86de58111bc334e365cc1dddf7f1075fc
Instruction ID: 2563bc140683cbc8f2fa5739d60b910bac713a869d5817a7f2affd3aeca04ab0
Opcode Fuzzy Hash: f12339e20bfa7423e901f0a6bf0171f86de58111bc334e365cc1dddf7f1075fc
Instruction Fuzzy Hash: 1A41BC76A092149FCB02CF58E884EA877F5BB49310F1984AAE5249B360E330E941CB90

Function 003D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003D16EB

Part of subcall function 003A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 003A3A57
Part of subcall function 003A3A3D: GetCurrentThreadId.KERNEL32 ref: 003A3A5E
Part of subcall function 003A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,003A25B3), ref: 003A3A65

GetCaretPos.USER32(?), ref: 003D16FF
ClientToScreen.USER32(00000000,?), ref: 003D174C
GetForegroundWindow.USER32 ref: 003D1752

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: b8dafef2a5cd651c80a103148b5e84a73e94eb84342508cb02c64f14242ae948
Instruction ID: 2b8f180e51b9dc6d352f0bdb27da2a28a8c08b52a18ce5c379d2f69d649dd3b7
Opcode Fuzzy Hash: b8dafef2a5cd651c80a103148b5e84a73e94eb84342508cb02c64f14242ae948
Instruction Fuzzy Hash: 21316175D11249AFC701DFA9D881CAEB7FDEF49304B5080AAE415EB211D731EE45CBA1

Function 003D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00359BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00359BB2

GetCursorPos.USER32(?), ref: 003D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00397711,?,?,?,?,?), ref: 003D9016
GetCursorPos.USER32(?), ref: 003D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00397711,?,?,?), ref: 003D9094

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: cf9424d601a989adadef03f962c185a34d6f71104ce30d7917fea21708ff835c
Instruction ID: b635f3135d13f7f078e96659f7e4df07a196f639b50c35bb430c5270661252a4
Opcode Fuzzy Hash: cf9424d601a989adadef03f962c185a34d6f71104ce30d7917fea21708ff835c
Instruction Fuzzy Hash: 0E219F36611018EFDB269F94E858FEA7BB9EF4A350F0481A7F9059B261C3319D90DB60

Function 003AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,003DCB68), ref: 003AD2FB
GetLastError.KERNEL32 ref: 003AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 003AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003DCB68), ref: 003AD376

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 8f767fc5255f6705d632ab28e6144dacc0a3f8bc6f5660b06603a0ea94060b19
Instruction ID: 381529f4c037d10dfe92ffe8c8366bbe6a065d026195522ea402c1bf9ff4efb1
Opcode Fuzzy Hash: 8f767fc5255f6705d632ab28e6144dacc0a3f8bc6f5660b06603a0ea94060b19
Instruction Fuzzy Hash: BE2191745152029F8B02DF28D8814AEB7E8EF57324F104A5EF49ACB2E1D731D945CB93

Function 003A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003A102A
Part of subcall function 003A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003A1036
Part of subcall function 003A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003A1045
Part of subcall function 003A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003A104C
Part of subcall function 003A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003A15BE
_memcmp.LIBVCRUNTIME ref: 003A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003A1617
HeapFree.KERNEL32(00000000), ref: 003A161E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: a53d48def35ea7a40159a18c65ca06c75f64cb03d0e0abf0f003630595a61dfb
Instruction ID: 43e0f4193f1d0bfce724715691d0abbf2512f8acec8fb00102cd76e430cbb589
Opcode Fuzzy Hash: a53d48def35ea7a40159a18c65ca06c75f64cb03d0e0abf0f003630595a61dfb
Instruction Fuzzy Hash: 3E21AC31E51109EFDF11DFA4C945BEEB7B8EF46344F198459E841EB251E730AA05CBA0

Function 003D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 003D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 003D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003D2840

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: cf95a54503ba94514f76a2aaeb9563586a132a49f5bc07f2e766c25a2dcac440
Instruction ID: dc79135096b67ccf3f11894a847a37ad6f5627c806efabf805f93730c93c2ed0
Opcode Fuzzy Hash: cf95a54503ba94514f76a2aaeb9563586a132a49f5bc07f2e766c25a2dcac440
Instruction Fuzzy Hash: 4E210632215111AFD7169B24E844F6BB79AEF56324F14815AF4268F7E2CB71FC42C790

Function 003A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 003A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,003A790A,?,000000FF,?,003A8754,00000000,?,0000001C,?,?), ref: 003A8D8C
Part of subcall function 003A8D7D: lstrcpyW.KERNEL32(00000000,?,?,003A790A,?,000000FF,?,003A8754,00000000,?,0000001C,?,?,00000000), ref: 003A8DB2
Part of subcall function 003A8D7D: lstrcmpiW.KERNEL32(00000000,?,003A790A,?,000000FF,?,003A8754,00000000,?,0000001C,?,?), ref: 003A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,003A8754,00000000,?,0000001C,?,?,00000000), ref: 003A7923
lstrcpyW.KERNEL32(00000000,?,?,003A8754,00000000,?,0000001C,?,?,00000000), ref: 003A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,003A8754,00000000,?,0000001C,?,?,00000000), ref: 003A7984

Strings

cdecl, xrefs: 003A797B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 0b2fa7b3589da46aac963151ee82df4ef451713c3f9ee3e9509a94248088debe
Instruction ID: 06a6d27922125bc36bf3583643dce575f37d7e07007e8a35a6f3cb288c967324
Opcode Fuzzy Hash: 0b2fa7b3589da46aac963151ee82df4ef451713c3f9ee3e9509a94248088debe
Instruction Fuzzy Hash: 1511D63A211242AFDB169F34DC45E7B77A9FF46350B50402FF946CB2A4EB319811C791

Function 003D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 003D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 003D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003BB7AD,00000000), ref: 003D7D6B

Part of subcall function 00359BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00359BB2

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: f818df69ecef76aeb48bb77cb01d881a63123bad95f6766b4f6e65008b2fa0cf
Instruction ID: 6e33c843896defb1642d34b6a8c2d58dd53fc5f91b9ad4e7a6c5807538df9eb8
Opcode Fuzzy Hash: f818df69ecef76aeb48bb77cb01d881a63123bad95f6766b4f6e65008b2fa0cf
Instruction Fuzzy Hash: A311A5326256159FCB129F28EC04EA63BAAAF45370F158726F935C72F0E7309951DB50

Function 003D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 003D56BB
_wcslen.LIBCMT ref: 003D56CD
_wcslen.LIBCMT ref: 003D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 003D5816

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 9d86986cfabf9a1a0ebf551076ebb7039ccdb658a09bc2cb03d206dafe961ad1
Instruction ID: 951de1e93d2f3e5187743c6f42bffc2a8b7c6f7d24d516302ae85729dc46187f
Opcode Fuzzy Hash: 9d86986cfabf9a1a0ebf551076ebb7039ccdb658a09bc2cb03d206dafe961ad1
Instruction Fuzzy Hash: 4511D676A0460896DB229F65EC85AFE77BCEF10760F10802BF915D6281EB70C984CF64

Function 00371D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b75cf428a027ae075b46ae9723bcdcf75e29f509dd23f94ea044186d619c6cdf
Instruction ID: 1cf39c4c4d502cec897a7662308c531322ebb99b57f7e769ab702154ed7c0432
Opcode Fuzzy Hash: b75cf428a027ae075b46ae9723bcdcf75e29f509dd23f94ea044186d619c6cdf
Instruction Fuzzy Hash: ED017CB32156163EEA3316787CC1F77665CEF423B8F35832AF529A51D2DB688C405560

Function 003A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003A1A8A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ef40ec7498241ab9fc51e3f0bd27f470c03b896107a33597e7c226e38ec97493
Instruction ID: 9956f6e4b22bac0f98fd32790fa9c902f9138a0dcc3ce6c07b955aa8085ca08b
Opcode Fuzzy Hash: ef40ec7498241ab9fc51e3f0bd27f470c03b896107a33597e7c226e38ec97493
Instruction Fuzzy Hash: FF113C3AD01219FFEB11DBA4CD85FADFB78EB05750F200091E600B7290D671AE50DB94

Function 003AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 003AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003AE24D

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 3a470e9a626f6ef2d2966a2602abb98312d843f73a7803828c1c777d3fbc5164
Instruction ID: a58fbe9cf072286106e9a81a0b705ea44178bfd02c65b4c54c70edaa6192e1e4
Opcode Fuzzy Hash: 3a470e9a626f6ef2d2966a2602abb98312d843f73a7803828c1c777d3fbc5164
Instruction Fuzzy Hash: 6C11C87691425DBBD712ABA8EC09BDE7FACEB46310F048666F924D3291D674C90487A0

Function 0036D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0036CFF9,00000000,00000004,00000000), ref: 0036D218
GetLastError.KERNEL32 ref: 0036D224
__dosmaperr.LIBCMT ref: 0036D22B
ResumeThread.KERNEL32(00000000), ref: 0036D249

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: b9cf4cda66216b0d2884caae4a210de5e0a67195fe963ff38f3cc1c38ed421fb
Instruction ID: 28a9639c0aa056286421d719b78f05696415ff56d84910ebd120ee5598e96cef
Opcode Fuzzy Hash: b9cf4cda66216b0d2884caae4a210de5e0a67195fe963ff38f3cc1c38ed421fb
Instruction Fuzzy Hash: 8E01D636D151047BC7135BA5EC05BAA7B6DEF81330F118619F9259A1D4CB71C941C7A0

Function 003D9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00359BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00359BB2

GetClientRect.USER32(?,?), ref: 003D9F31
GetCursorPos.USER32(?), ref: 003D9F3B
ScreenToClient.USER32(?,?), ref: 003D9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 003D9F7A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5c2aae7fde85fc92f737031356f50b5e4155d2eeb58ae39bac5bbf441f36af00
Instruction ID: a2e3b1d659f306d1d19a90b51f47158f7f550a5a76a776cd6b05299deb0efe9d
Opcode Fuzzy Hash: 5c2aae7fde85fc92f737031356f50b5e4155d2eeb58ae39bac5bbf441f36af00
Instruction Fuzzy Hash: FD11483291011AABDB02DF68E845EEE77BDFB05312F404553F911E7250D330BA95CBA5

Function 0034600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0034604C
GetStockObject.GDI32(00000011), ref: 00346060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0034606A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: ac14fe90671f9c2040f1352f1ea4446f5b3a89dda11f08387d1c3badd4ca14e0
Instruction ID: 3fb4668e6b60cea176bb68cbec9a56fdbe8f72d0e1181772480e4daacaaf4309
Opcode Fuzzy Hash: ac14fe90671f9c2040f1352f1ea4446f5b3a89dda11f08387d1c3badd4ca14e0
Instruction Fuzzy Hash: D411A1B2516609BFEF134F94DC45EEABBADEF09355F050212FA1456010C732EC60DB91

Function 00363B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00363B56

Part of subcall function 00363AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00363AD2
Part of subcall function 00363AA3: ___AdjustPointer.LIBCMT ref: 00363AED

_UnwindNestedFrames.LIBCMT ref: 00363B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00363B7C
CallCatchBlock.LIBVCRUNTIME ref: 00363BA4

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 5c97a436c4ef33cac304e95f88400430b44b66b0a2b6a2b0864f45630aada460
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: AB012932500149BBDF135E95CC42EEB3F69EF49754F058014FE485A125C732E961EBA0

Function 00373073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,003413C6,00000000,00000000,?,0037301A,003413C6,00000000,00000000,00000000,?,0037328B,00000006,FlsSetValue), ref: 003730A5
GetLastError.KERNEL32(?,0037301A,003413C6,00000000,00000000,00000000,?,0037328B,00000006,FlsSetValue,003E2290,FlsSetValue,00000000,00000364,?,00372E46), ref: 003730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0037301A,003413C6,00000000,00000000,00000000,?,0037328B,00000006,FlsSetValue,003E2290,FlsSetValue,00000000), ref: 003730BF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c5583b31657c2b631108b1cf0765fcf6a741cbeea86853ea0ebf956adbfdc652
Instruction ID: f2debc3a74d2a4e97e122969068433c9bb05f7fc8ab2b2f0cf38754113aba584
Opcode Fuzzy Hash: c5583b31657c2b631108b1cf0765fcf6a741cbeea86853ea0ebf956adbfdc652
Instruction Fuzzy Hash: 4A01F732762223ABCB334B78AC449677B9CAF05B61F218720F90BE7180D729D901D6E0

Function 003A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 003A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003A74CA

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 33933c96d2f6ace4a074788eddad1dbe47874855db26fb2086c20be96c26c86b
Instruction ID: e5260b37d6d1bb5bf06b2d3f4a3e84c195eab0cfb89a8b460682eac8644db0af
Opcode Fuzzy Hash: 33933c96d2f6ace4a074788eddad1dbe47874855db26fb2086c20be96c26c86b
Instruction Fuzzy Hash: 8111D6B12163119FE722CF16EC48FA27FFCEB05B00F10856AA616D7551D770E904DB50

Function 003AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003AACD3,?,00008000), ref: 003AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003AACD3,?,00008000), ref: 003AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,003AACD3,?,00008000), ref: 003AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,003AACD3,?,00008000), ref: 003AB126

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 06851b4d542373ca827079fc04e0a837ec4db0224f62c66284f3b8fc947ed776
Instruction ID: 090ffa24c48ec07ad9e437097fc26591fbf622fc0943b07c7c3e3d84b173782c
Opcode Fuzzy Hash: 06851b4d542373ca827079fc04e0a837ec4db0224f62c66284f3b8fc947ed776
Instruction Fuzzy Hash: E2113931C11529E7CF06AFA4E958AEEFB78FF0A711F114096D981B2182CB305650CB51

Function 003D7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003D7E33
ScreenToClient.USER32(?,?), ref: 003D7E4B
ScreenToClient.USER32(?,?), ref: 003D7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003D7E8A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 696767eba902934941c2dd7dd3ee08272163cb12d69a2a5cb8591cdfeb8a5fd3
Instruction ID: b109392c3483b8399e073bf0bfa9a2cab994f98ce19bec836cfd701b8a33a2ec
Opcode Fuzzy Hash: 696767eba902934941c2dd7dd3ee08272163cb12d69a2a5cb8591cdfeb8a5fd3
Instruction Fuzzy Hash: F51156B9D1020AAFDB41CF98D884AEEBBF9FF08310F505156E915E3210D735AA54CF50

Function 003A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 003A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 003A2DD6
GetCurrentThreadId.KERNEL32 ref: 003A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 003A2DE4

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b2733a6240e814978e561a1c74a1738823718e1d3cda2949e1707cd26d3bfd2d
Instruction ID: 45421187be8a317d64677530e5b8471e178679b799fc727179f3951a764bc2fd
Opcode Fuzzy Hash: b2733a6240e814978e561a1c74a1738823718e1d3cda2949e1707cd26d3bfd2d
Instruction Fuzzy Hash: FFE09271122225BBDB221B76AC0DFEB3F6CFF43BA1F041116F505D10819AA4C840C6B0

Function 003D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00359639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00359693
Part of subcall function 00359639: SelectObject.GDI32(?,00000000), ref: 003596A2
Part of subcall function 00359639: BeginPath.GDI32(?), ref: 003596B9
Part of subcall function 00359639: SelectObject.GDI32(?,00000000), ref: 003596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 003D8887
LineTo.GDI32(?,?,?), ref: 003D8894
EndPath.GDI32(?), ref: 003D88A4
StrokePath.GDI32(?), ref: 003D88B2

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: bda64bfe03f40f9f1c7d7751a9d19330538376918c0e1b4cc1275f6375068be3
Instruction ID: 0be0337a0eec238cae7df048161a1cb37ca39dbecfc4ec800ace3f8137392bdc
Opcode Fuzzy Hash: bda64bfe03f40f9f1c7d7751a9d19330538376918c0e1b4cc1275f6375068be3
Instruction Fuzzy Hash: F6F03A36066259FADB135F94AC09FCA3B5DAF06311F048002FA21651E1C7756511DBA9

Function 003598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 003598CC
SetTextColor.GDI32(?,?), ref: 003598D6
SetBkMode.GDI32(?,00000001), ref: 003598E9
GetStockObject.GDI32(00000005), ref: 003598F1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: be06ec522ccbf20088b1d1aa3886af5de12f3ad503fdeec9dcbf472e30921255
Instruction ID: 40e9791b8dd90134493cbe32de041c62b4835ce945ceb8be16777e1f31644f52
Opcode Fuzzy Hash: be06ec522ccbf20088b1d1aa3886af5de12f3ad503fdeec9dcbf472e30921255
Instruction Fuzzy Hash: 42E06D31265291AADF225B75BC0DBE83F25AB12336F05821BF6FA980E1C3714644DB10

Function 003A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 003A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,003A11D9), ref: 003A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003A11D9), ref: 003A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,003A11D9), ref: 003A164F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 08b21a5098d2fcb363d1df4bf0eb070c49d089c64566c5bcf7ffd99de17763fb
Instruction ID: 88a844bacb3021cd243109e93b34cc1406b46aa34ea53f3eff87c4a1172efe27
Opcode Fuzzy Hash: 08b21a5098d2fcb363d1df4bf0eb070c49d089c64566c5bcf7ffd99de17763fb
Instruction Fuzzy Hash: A0E08631A23212DBDB211FE0BE0DB463B7CFF457A1F154809F645C9090D6348440C750

Function 0039D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0039D858
GetDC.USER32(00000000), ref: 0039D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0039D882
ReleaseDC.USER32(?), ref: 0039D8A3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7e76772e42068e47d5dfe01506383cd0998d4201767e28b203da32bc8d5ebba4
Instruction ID: da243522d16b4df4c6bac6a5bdb0a22b0e2dbd4893df9df94c7cbedcc6e095df
Opcode Fuzzy Hash: 7e76772e42068e47d5dfe01506383cd0998d4201767e28b203da32bc8d5ebba4
Instruction Fuzzy Hash: CDE01AB0C21206DFCF429FA0E808A6DBBB9FB08311F18A00AE806E7650C7389905EF40

Function 0039D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0039D86C
GetDC.USER32(00000000), ref: 0039D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0039D882
ReleaseDC.USER32(?), ref: 0039D8A3

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 69a1b4429559e517a79b7c26b1ea3d65b34cc9dfc9200b51afe76ad16215ec8c
Instruction ID: bb2351c654763c2939f6c543a119ed5abb8183418200d96fd19645156ed75e6f
Opcode Fuzzy Hash: 69a1b4429559e517a79b7c26b1ea3d65b34cc9dfc9200b51afe76ad16215ec8c
Instruction Fuzzy Hash: 25E09A75C21205DFCB529FA0E80866DBBB9FB08311F18A44AE946E7250C7399905DF50

Function 003B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00347620: _wcslen.LIBCMT ref: 00347625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 003B4ED4

Strings

LPT, xrefs: 003B4DFB
*, xrefs: 003B4E10

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: c4ce079946b06734a84d5dffec42b9e502c386ab543a74d4ea6289809b349d6b
Instruction ID: 0eb38a0759b1eb21b934924d134c25ca2207f0e28f7c5894eb64d26a966a48d3
Opcode Fuzzy Hash: c4ce079946b06734a84d5dffec42b9e502c386ab543a74d4ea6289809b349d6b
Instruction Fuzzy Hash: D3918075A002149FCB16DF58C484EAABBF5BF44308F198099E90A9F763C735ED85CB94

Function 0036E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0036E30D

Strings

pow, xrefs: 0036E2E5, 0036E302

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: fd65d5a3ad404719e90805af6d94d6d6b2379804570d48b9a18e5c60214a9d7a
Instruction ID: 45ba58e02dd8e61f8e6d48fd5178672b010dab77b0a554041c79c98b8a2e2061
Opcode Fuzzy Hash: fd65d5a3ad404719e90805af6d94d6d6b2379804570d48b9a18e5c60214a9d7a
Instruction Fuzzy Hash: FA517F69A0C10296CB377714C9413BA3BACDB40740F35CD69E0D9877EDDF398C999A86

Function 003C7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0039569E,00000000,?,003DCC08,?,00000000,00000000), ref: 003C78DD

Part of subcall function 00346B57: _wcslen.LIBCMT ref: 00346B6A

CharUpperBuffW.USER32(0039569E,00000000,?,003DCC08,00000000,?,00000000,00000000), ref: 003C783B

Strings

<s@, xrefs: 003C77C8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s@
API String ID: 3544283678-2701045315
Opcode ID: 6a8d56519b08da7913e41bb8d1e2c55feaefb0adabd395bf81422f3e40cf3405
Instruction ID: 8fcc631bddff1ebb411d5859b15eea09009cf2718cd7d1614ff8f80f66956126
Opcode Fuzzy Hash: 6a8d56519b08da7913e41bb8d1e2c55feaefb0adabd395bf81422f3e40cf3405
Instruction Fuzzy Hash: DD6132769141199ACF06EFA4CC52EFDB3B8FF14300B545529E942BB091EF346E05DBA1

Function 0035E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0035E1B1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 5432a1f18c408e600419aa7ed0723411b3916f224259ba39108de7c6e6c78e34
Instruction ID: f4a2e5c99fcc6cf7758f1c680b2be355c5d9b5d2c0fce2046b0f44aa1b5a8713
Opcode Fuzzy Hash: 5432a1f18c408e600419aa7ed0723411b3916f224259ba39108de7c6e6c78e34
Instruction Fuzzy Hash: CF512335904346DFDF1BEFA8C481ABA7BA8EF15310F244455EC919B2E0D734AE46CBA1

Function 0035F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0035F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0035F2BB

Strings

@, xrefs: 0035F2AF

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 1314fb70c76aad2fbfce6ed6c5a018edcd15c42d3873c4bffec436ed8a402392
Instruction ID: c3841a1de0156bf28ccdd487bd895b5fdd6c8dd64115f5fb89c3d79ea47711f8
Opcode Fuzzy Hash: 1314fb70c76aad2fbfce6ed6c5a018edcd15c42d3873c4bffec436ed8a402392
Instruction Fuzzy Hash: 335174714187459BD321AF50E886BABBBF8FB84304F81884CF1D9490A5EB319528CB67

Function 003C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 003C57E0
_wcslen.LIBCMT ref: 003C57EC

Strings

CALLARGARRAY, xrefs: 003C57E6, 003C57EB

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: df081b6eb6ea4aeef1115e14994a5434d29ae72bdc878152d361f6cff7e004eb
Instruction ID: bd29b67967eecb5b889b43ebe17fda3c9c6a30708c7246eee29a6f8cd7c926f4
Opcode Fuzzy Hash: df081b6eb6ea4aeef1115e14994a5434d29ae72bdc878152d361f6cff7e004eb
Instruction Fuzzy Hash: 54418D71E002199FCB16DFA9C881EAEBBB5EF59350F15406DE505AB291E730AD81CBA0

Function 003BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003BD13A

Strings

|, xrefs: 003BD10B

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 60252cf8de428b2a2203dfce28c317d02c15638f8a65ac8e84e6788b477a9874
Instruction ID: 19977590fac556041d38a17e85f0f5b9cf2b8c427b63e2eb907980d990b62966
Opcode Fuzzy Hash: 60252cf8de428b2a2203dfce28c317d02c15638f8a65ac8e84e6788b477a9874
Instruction Fuzzy Hash: 16312C71D01209ABCF16EFA4CD85AEEBFB9FF05304F104019F915AA166E731AA56CF60

Function 003D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 003D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003D365C

Strings

static, xrefs: 003D35BC

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 41a2b2c6a233f6d7bc6c01645ad3a495fc3fe250a3c9ead7177fd1c9bde452e7
Instruction ID: 4e8c432aef2287d37d302ea61b893340005512d3c5d0832664627010d625ce4b
Opcode Fuzzy Hash: 41a2b2c6a233f6d7bc6c01645ad3a495fc3fe250a3c9ead7177fd1c9bde452e7
Instruction Fuzzy Hash: 1431B072110604AEDB119F38EC81EFB73A9FF48720F01961AF8A597290DA35ED81C761

Function 003D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 003D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003D4634

Strings

', xrefs: 003D458E

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: d835d4c7d3e57e62eed03171cdd3582128aec2b47a298369bb0df54ff225e22b
Instruction ID: 3c5cb2a4b3b2b05d2f72b681fde8d99d4849d95d5e8cc0ee7e4f0683d88b078f
Opcode Fuzzy Hash: d835d4c7d3e57e62eed03171cdd3582128aec2b47a298369bb0df54ff225e22b
Instruction Fuzzy Hash: 8A3128B5A013099FDB15CF69E981BDABBB6FF0A300F14406AE905AB351D770E941CF90

Function 003D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003D3287

Strings

Combobox, xrefs: 003D3249

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: fef405e52b04f73968efb699584787eb6d8db9b11af32b358285d3aa4b4430a2
Instruction ID: b5ab01dc7eef0d9c8039c5d38a6fd7a7dab70b960a767208c23d7f04eb20229c
Opcode Fuzzy Hash: fef405e52b04f73968efb699584787eb6d8db9b11af32b358285d3aa4b4430a2
Instruction Fuzzy Hash: 0D11E672B001087FEF129F54EC81EBB375AEB94364F114526F5149B390D631DD518761

Function 003D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0034600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0034604C
Part of subcall function 0034600E: GetStockObject.GDI32(00000011), ref: 00346060
Part of subcall function 0034600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0034606A

GetWindowRect.USER32(00000000,?), ref: 003D377A
GetSysColor.USER32(00000012), ref: 003D3794

Strings

static, xrefs: 003D3757

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6ddf4bf40aed69fa224c0501cc05a0b22076541249197008616de5867a3bb9d2
Instruction ID: 7ef2d5fddef09431b091130b16b4a36788f4cf9290d213f5b820de1c9f6472b8
Opcode Fuzzy Hash: 6ddf4bf40aed69fa224c0501cc05a0b22076541249197008616de5867a3bb9d2
Instruction Fuzzy Hash: 16116AB262060AAFDF02DFA8DC46EEA7BF8FB08304F014516F955E2250D735E810DB60

Function 003BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003BCDA6

Strings

<local>, xrefs: 003BCD66

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 83aeae7fdf58dadc1cb3f0687f8abbcb4d33286ca6914a988769adc6a5925bb2
Instruction ID: 69ab5a4e8ff9f8ebdef028432a1f44ffb345941f10d1002dab28e11fa118aa36
Opcode Fuzzy Hash: 83aeae7fdf58dadc1cb3f0687f8abbcb4d33286ca6914a988769adc6a5925bb2
Instruction Fuzzy Hash: E01106792216327AD7364B668C44FE7BE6CEF127A8F40523EB24983880D7709940D6F0

Function 003D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003D34BA

Strings

edit, xrefs: 003D348F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d925acc24a22241a12da072b6c9baf33b0c2a7519d9652907b079c26a96269a8
Instruction ID: 6392216a58945ed9c4b0b3227f8a6ac794357fee31f3e560520520e77bad5fd5
Opcode Fuzzy Hash: d925acc24a22241a12da072b6c9baf33b0c2a7519d9652907b079c26a96269a8
Instruction Fuzzy Hash: 10119D72110108AAEB134F65FC40AFB376AEB05374F514326F960972E0C779EC519752

Function 003A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

CharUpperBuffW.USER32(?,?,?), ref: 003A6CB6
_wcslen.LIBCMT ref: 003A6CC2

Strings

STOP, xrefs: 003A6CBC, 003A6CC1

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 878e71e8ef7b7dd041af9e7ade08a50f3d2afddfe5ea1e74decb2804ae1e9f95
Instruction ID: 260005997348112038ae61bb27cd1797618f1ad0b0b3058ce890d10981c703be
Opcode Fuzzy Hash: 878e71e8ef7b7dd041af9e7ade08a50f3d2afddfe5ea1e74decb2804ae1e9f95
Instruction Fuzzy Hash: 560108326105278BCB129FBDDC829BF33E8EE627607060535E4629A195EB31D900C650

Function 003A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Part of subcall function 003A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003A1D4C

Strings

ListBox, xrefs: 003A1D16
ComboBox, xrefs: 003A1CEB

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7db816a35605889734e11f24bef6c1a256e0afd2104241494d1d29151c7800b0
Instruction ID: 8cba7c126906aaec01c59a5aba45ca87c846c6fe08bbb425b289a19e7c962bb3
Opcode Fuzzy Hash: 7db816a35605889734e11f24bef6c1a256e0afd2104241494d1d29151c7800b0
Instruction Fuzzy Hash: E501D875651214ABCB06FBA4DC55DFFB7A8EB57350F14061AF8326F2C1EA346908C660

Function 003A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Part of subcall function 003A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 003A1C46

Strings

ListBox, xrefs: 003A1C10
ComboBox, xrefs: 003A1BE5

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 40d1e47268abb955b2d6dc2976cfb2ff5c9e1977c6da7ac690ca265a3697e6fc
Instruction ID: df72fbd838ed9fe69f393f3119b7c9ab641fd34bff497056f628bff1138ad6ac
Opcode Fuzzy Hash: 40d1e47268abb955b2d6dc2976cfb2ff5c9e1977c6da7ac690ca265a3697e6fc
Instruction Fuzzy Hash: 1D01A775AC110466CB06EB90DD51AFF77ECDB12350F14001AB4067B2C2EA24AE08C6B1

Function 003A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Part of subcall function 003A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 003A1CC8

Strings

ListBox, xrefs: 003A1C94
ComboBox, xrefs: 003A1C69

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c80c6c43bb8e68ebbbb8da2ad16feca82221cec90b4cf063902bc306d07109ed
Instruction ID: 5ecd6e2bf6194d672dbc49364b748ba52cd42fad9c0516e4d54a7ca9cc82ca1a
Opcode Fuzzy Hash: c80c6c43bb8e68ebbbb8da2ad16feca82221cec90b4cf063902bc306d07109ed
Instruction Fuzzy Hash: 350186B5A8111867CF16EBA4DE55BFF77ECDB12350F140116B8027B282EA65AF08C6B1

Function 0035A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0035A529

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Strings

,%A, xrefs: 0035A509
3y9, xrefs: 0035A545, 0035A54D, 0035A552

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%A$3y9
API String ID: 2551934079-252068093
Opcode ID: cdbeb1af9d4d662f7dbc59746f8fddfb3af25fa018c15413593f404a63795d32
Instruction ID: dda52000969971a12f7b29698a8619feebcb26cd1b6a4a11a525fab8067439cf
Opcode Fuzzy Hash: cdbeb1af9d4d662f7dbc59746f8fddfb3af25fa018c15413593f404a63795d32
Instruction Fuzzy Hash: 52017B31700A1097C507F7A8E85BFAE3394DB06711F404565F9025F2D3EE906D49969B

Function 003A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00349CB3: _wcslen.LIBCMT ref: 00349CBD

Part of subcall function 003A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 003A3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 003A1DD3

Strings

ListBox, xrefs: 003A1DA0
ComboBox, xrefs: 003A1D75

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 59784af09810ff7ece6606609ed645911f820c06194876538287b92fd1921d82
Instruction ID: d0b4b8151b9488fe57157cc8b5db5f2b4bfb07e1b14a22fafe57af05e02a626a
Opcode Fuzzy Hash: 59784af09810ff7ece6606609ed645911f820c06194876538287b92fd1921d82
Instruction Fuzzy Hash: D9F0C871B9121466DB06F7A4DD96FFF77BCEB03350F140916B8227B2C2DA70790886A0

Function 003D8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00413018,0041305C), ref: 003D81BF
CloseHandle.KERNEL32 ref: 003D81D1

Strings

\0A, xrefs: 003D818A

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0A
API String ID: 3712363035-1148864819
Opcode ID: 3a74f05ad0e6867a7dbeba1b7c8e3e904e65f954e589c73b437200eaeffeeea4
Instruction ID: 13ad58641849de49ddac76d8972d8f9bcde13ad3856d090fdaf8dca915bb842c
Opcode Fuzzy Hash: 3a74f05ad0e6867a7dbeba1b7c8e3e904e65f954e589c73b437200eaeffeeea4
Instruction Fuzzy Hash: CCF05EB5650300BAE7216F61AC45FF73E9CDB09752F018432BB08D91A6D7799F4482BC

Function 003C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 003C7493
_wcslen.LIBCMT ref: 003C74B9

Strings

3, 3, 16, 1, xrefs: 003C7483

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 7a583c0dcdeb2f07df67097c95a7a66e347a9398a61b04b26c1a3c7c436042a9
Instruction ID: f133ae9910c7e250a3ee30b93aa842cb083543c28a1b3cb4ee5418b3cf8b8718
Opcode Fuzzy Hash: 7a583c0dcdeb2f07df67097c95a7a66e347a9398a61b04b26c1a3c7c436042a9
Instruction Fuzzy Hash: D9E02B02A4462010A237127B9CC5F7F56CADFC5790710182FFD81C626AEB948DA193A1

Function 003A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 003A0B23

Strings

AutoIt, xrefs: 003A0B17
Error allocating memory., xrefs: 003A0B1C

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 43d285f69f9319d92d69f21e7ca6694ec5c5f9133a3d50dadeb791698de3cb00
Instruction ID: 47203828a132fca2974fff4eb46f7308776f15e490c26a6730cd2f869dd9a23a
Opcode Fuzzy Hash: 43d285f69f9319d92d69f21e7ca6694ec5c5f9133a3d50dadeb791698de3cb00
Instruction Fuzzy Hash: 46E0D8322643092AD2163794BC03FC97BC4CF05B11F100427FB485D5D38AE2645086A9

Function 00360D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0035F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00360D71,?,?,?,0034100A), ref: 0035F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0034100A), ref: 00360D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0034100A), ref: 00360D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00360D7F

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 68331a9c37f6212f499e4ec9152764d20cf2d031af094871cf8bca88e3b7b648
Instruction ID: 79dc6333d28a84b9c9b48578de4bcac0a7d89dc7846326d2f1cf826932100c0d
Opcode Fuzzy Hash: 68331a9c37f6212f499e4ec9152764d20cf2d031af094871cf8bca88e3b7b648
Instruction Fuzzy Hash: 1BE06D742003018FD7269FB8E4457827BE4AB04745F008A2EE882CA769DBB0E448CB91

Function 0035E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0035E3D5

Strings

0%A, xrefs: 0035E3B5
8%A, xrefs: 0035E3CA

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%A$8%A
API String ID: 1385522511-3959272176
Opcode ID: 8e3378285e835c1213e0a97e2c3d84a75ede7c067c91064aaf660dc05233a85b
Instruction ID: 2d03a91a131d22a7889b546f6e288a3783121ec24c472490df4d8f76b4383d5f
Opcode Fuzzy Hash: 8e3378285e835c1213e0a97e2c3d84a75ede7c067c91064aaf660dc05233a85b
Instruction Fuzzy Hash: F1E02639400910EBC60E9718FBE5ECA3357AB05321B918175E802CB1E1DBB42985865C

Function 003B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 003B302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 003B3044

Strings

aut, xrefs: 003B3038

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 92168af3c84d0048109c806ee976b3065e3acff17eef6a1ad05e7414fd16b5ac
Instruction ID: 12141c3fcc7f6778642d27780900eb9075bd91421b9c85122385169d7cb4e37a
Opcode Fuzzy Hash: 92168af3c84d0048109c806ee976b3065e3acff17eef6a1ad05e7414fd16b5ac
Instruction Fuzzy Hash: DFD05B7151131467DE20A7A4AC0DFC73B6CD705750F000662B655E20D1DBB49544CAD0

Function 0039D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0039D220

Strings

%.3d, xrefs: 0039D22B
X64, xrefs: 0039D2A8

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 358e39160da5c9f843e61d623286ed0ed0faae022eab795747aeddbc96b13d35
Instruction ID: 112eff198c77a7f9fa2f7ee786fdc6e3968eea4b5d00c45b11757195e2345ccd
Opcode Fuzzy Hash: 358e39160da5c9f843e61d623286ed0ed0faae022eab795747aeddbc96b13d35
Instruction Fuzzy Hash: E6D01261C09109E9CF5297D0DC46DB9B37CBB18301F608862FC46A2881D634D508A761

Function 003D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003D233F

Part of subcall function 003AE97B: Sleep.KERNEL32 ref: 003AE9F3

Strings

Shell_TrayWnd, xrefs: 003D2325

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 5b6e9d29f960f933132cc4faa4b5b47050a4cc98e7b43de55ad654718ccc0341
Instruction ID: b0c5d4f234a692848336931e8d3e93c0884755392bf6c77e082856e0d7b0ece8
Opcode Fuzzy Hash: 5b6e9d29f960f933132cc4faa4b5b47050a4cc98e7b43de55ad654718ccc0341
Instruction Fuzzy Hash: 52D0A9323A1310B6EA64A330AC0FFC6BA089B01B00F0009277206AA0D0CAB4A800CA08

Function 003D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003D236C
PostMessageW.USER32(00000000), ref: 003D2373

Part of subcall function 003AE97B: Sleep.KERNEL32 ref: 003AE9F3

Strings

Shell_TrayWnd, xrefs: 003D2365

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7ef4bc8be5414b5fe5878b1188e60715b847af54c12b114b406facae7b8c349a
Instruction ID: 1ab152f1410052bb1f773c24254fb82c5765453634423f75a64e776dc37878d5
Opcode Fuzzy Hash: 7ef4bc8be5414b5fe5878b1188e60715b847af54c12b114b406facae7b8c349a
Instruction Fuzzy Hash: 5BD0A9323A23107AEA65A330AC0FFC6B6089B02B00F0009277202AA0D0CAB4A800CA08

Function 0037BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0037BE93
GetLastError.KERNEL32 ref: 0037BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0037BEFC

Memory Dump Source

Source File: 00000005.00000002.1358621980.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000005.00000002.1358590245.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.00000000003DC000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358706118.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358809770.000000000040C000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000005.00000002.1358840690.0000000000414000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_340000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 71347e31c11b869a6aedf007c967ddc32bbe34e0adab91a32af981c6a0985df0
Instruction ID: c2d68835539bcd9721e0cc163a2fb369a738c16328e91fed2fd2c2e67ea38b47
Opcode Fuzzy Hash: 71347e31c11b869a6aedf007c967ddc32bbe34e0adab91a32af981c6a0985df0
Instruction Fuzzy Hash: 9841C434601216AFDB338F64DC54BAAFBB9AF41B10F15C169F95D9B2A1DB348D00CB60

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000014.00000003.1395245319.000002D07DCF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1399694030.000002D07DD1C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1481964936.000002D0885D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1533584238.000002D0885D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1512553216.000002D07D8C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1504092260.000002D07FE20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1502858337.000002D07FE9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1512553216.000002D07D8C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1380903289.000002D080174000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1504092260.000002D07FE20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1511472342.000002D07DAC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1526276324.000002D07DAC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1524500854.000002D07D6FE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1481964936.000002D0885D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1533584238.000002D0885D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1512553216.000002D07D8C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1504092260.000002D07FE20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1502858337.000002D07FE9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1512553216.000002D07D8C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1380903289.000002D080174000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1504092260.000002D07FE20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1543814876.000002D07E491000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1529961525.000002D08507C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1529961525.000002D08507C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000014.00000003.1365485141.000002D07E491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1550558704.000002D07E496000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1529961525.000002D08507C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1481964936.000002D0885D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1533584238.000002D0885D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1511472342.000002D07DAC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1528317833.000002D07C988000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1526276324.000002D07DAC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000014.00000003.1523587957.000002D07D44C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1481964936.000002D0885D5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1528715609.000002D07C940000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1517321169.000002D07D826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000014.00000003.1511834786.000002D07D8EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1524500854.000002D07D6BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000003.1365650327.000002D07CE6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49802 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.7:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49879 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49880 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49886 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b6a5b5f0-dd6d-46d3-aa31-8d0c32189871.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_b6a5b5f0-dd6d-46d3-aa31-8d0c32189871.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre