Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1561396
MD5:	30e0a4341ef78b82f707de1f75554d8f
SHA1:	24b83e21c9e861202cba0f653fbdb480c2509d2f
SHA256:	9324205f06fb84bd07e372d2b405adede12597a5d18b42744aba08f72914c525
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 3232 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 30E0A4341EF78B82F707DE1F75554D8F)

taskkill.exe (PID: 5260 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 1008 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6936 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 5256 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 6304 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 6488 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 3732 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4412 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7200 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84f6ef57-0988-4df9-9f07-232346996c27} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279e796e310 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7800 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3356 -parentBuildID 20230927232528 -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c75be7-75f4-4a06-81c5-dfb7a4c30b94} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279f9a20a10 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7780 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4964 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4676 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aea218b3-2e7d-4cb6-ae19-516ad18c9688} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279f7d60710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.1370166084.0000000001398000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
00000000.00000003.1306122064.0000000001394000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security
Process Memory Space: file.exe PID: 3232	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_005FEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_005FEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005FED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005FED6A

Source: C:\Users\user\Desktop\file.exe

0_2_005FEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005EAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_005EAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00619576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00619576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_92924257-c
Source: file.exe, 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_530e7d76-3
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6d1f5766-8
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_97c2adbf-2

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000002476182A832 NtQuerySystemInformation,		19_2_000002476182A832
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000247618242B7 NtQuerySystemInformation,		19_2_00000247618242B7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005ED5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_005ED5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_005E1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005EE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_005EE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058BF40	0_2_0058BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F2046	0_2_005F2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00588060	0_2_00588060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E8298	0_2_005E8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BE4FF	0_2_005BE4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B676B	0_2_005B676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00614873	0_2_00614873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0058CAF0	0_2_0058CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005ACAA0	0_2_005ACAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059CC39	0_2_0059CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B6DD9	0_2_005B6DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059B119	0_2_0059B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005891C0	0_2_005891C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1394	0_2_005A1394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1706	0_2_005A1706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A781B	0_2_005A781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059997D	0_2_0059997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00587920	0_2_00587920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A19B0	0_2_005A19B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A7A4A	0_2_005A7A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1C77	0_2_005A1C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A7CA7	0_2_005A7CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060BE44	0_2_0060BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B9EEE	0_2_005B9EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A1F32	0_2_005A1F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000002476182A832	19_2_000002476182A832
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_00000247618242B7	19_2_00000247618242B7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000002476182A872	19_2_000002476182A872
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 19_2_000002476182AF5C	19_2_000002476182AF5C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0059F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 005A0A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00589CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@71/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F37B5 GetLastError,FormatMessageW,

0_2_005F37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E10BF AdjustTokenPrivileges,CloseHandle,		0_2_005E10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005E16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005E16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005F51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005ED4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_005ED4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_005F648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_005842A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1534933226.00000279F724D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	ReversingLabs: Detection: 31%
Source: file.exe	Virustotal: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84f6ef57-0988-4df9-9f07-232346996c27} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279e796e310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3356 -parentBuildID 20230927232528 -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c75be7-75f4-4a06-81c5-dfb7a4c30b94} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279f9a20a10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4964 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4676 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aea218b3-2e7d-4cb6-ae19-516ad18c9688} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279f7d60710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84f6ef57-0988-4df9-9f07-232346996c27} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279e796e310 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3356 -parentBuildID 20230927232528 -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c75be7-75f4-4a06-81c5-dfb7a4c30b94} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279f9a20a10 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4964 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4676 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aea218b3-2e7d-4cb6-ae19-516ad18c9688} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279f7d60710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.15.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 0000000F.00000003.1459836351.00000279F7150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 0000000F.00000003.1459526077.00000279F7144000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 0000000F.00000003.1459836351.00000279F7150000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.15.dr
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 0000000F.00000003.1459526077.00000279F7144000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005842DE

Source: gmpopenh264.dll.tmp.15.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A0A76 push ecx; ret

0_2_005A0A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0059F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0059F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00611C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00611C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-96973

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_000002476182A832 rdtsc

19_2_000002476182A832

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.6 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005EDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_005EDBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005BC2A2 FindFirstFileExW,	0_2_005BC2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F68EE FindFirstFileW,FindClose,	0_2_005F68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_005F698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005ED076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005ED076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005ED3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005ED3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005F9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005F979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_005F9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_005F5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005842DE

Source: firefox.exe, 00000011.00000002.2569869549.00000281EC540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: firefox.exe, 00000011.00000002.2569869549.00000281EC540000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: firefox.exe, 00000013.00000002.2569217426.0000024761E60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: firefox.exe, 00000014.00000002.2560870747.000001CD27F1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW.@(
Source: firefox.exe, 00000011.00000002.2562526805.00000281EBDAA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2569217426.0000024761E60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2560616265.00000247614CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2567985666.000001CD28400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000011.00000002.2568696860.00000281EC11A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000011.00000002.2562526805.00000281EBDAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW*
Source: firefox.exe, 00000011.00000002.2569869549.00000281EC540000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2569217426.0000024761E60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 19_2_000002476182A832 rdtsc

19_2_000002476182A832

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005FEAA2 BlockInput,

0_2_005FEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005B2622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005842DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A4CE8 mov eax, dword ptr fs:[00000030h]

0_2_005A4CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_005E0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005B2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005B2622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005A083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A09D5 SetUnhandledExceptionFilter,	0_2_005A09D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005A0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005A0C21

Source: C:\Users\user\Desktop\file.exe

0_2_005E1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005C2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_005C2BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005EB226 SendInput,keybd_event,

0_2_005EB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006022DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_006022DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_005E0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005E1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_005E1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005A0698 cpuid

0_2_005A0698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_005F8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005DD27A GetUserNameW,

0_2_005DD27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005BB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_005BB952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005842DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005842DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1370166084.0000000001398000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1306122064.0000000001394000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3232, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match	File source: 00000000.00000003.1370166084.0000000001398000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1306122064.0000000001394000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3232, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00601204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00601204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00601806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00601806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	32%	ReversingLabs	Win32.Trojan.AutoitInject
file.exe	46%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.1	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.1.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.142	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	216.58.208.238	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/#/properties/proposedEnrollment	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 0000000F.00000003.1542315936.0000027A02AB9000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/schemaVersion	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/disableGreaseOnFallback	firefox.exe, 0000000F.00000003.1397831971.00000279F9398000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000F.00000003.1393555110.00000279FFC66000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 0000000F.00000003.1463507626.0000027A00E6B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/insecureFallback	firefox.exe, 0000000F.00000003.1397831971.00000279F9398000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000F.00000003.1463507626.0000027A00E84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1543377155.0000027A00E84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504929210.0000027A00E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000F.00000003.1538381905.0000027A01516000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1528781362.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504649823.0000027A0150E000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 0000000F.00000003.1464946052.00000279FFE27000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000F.00000003.1393555110.00000279FFC66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1351062437.00000279F757F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1348739028.00000279F7300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1410608994.0000027A00C6F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/userFacingName	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestSponsoredEnabled	firefox.exe, 0000000F.00000003.1397881177.00000279F9390000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/valuehtt	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000F.00000003.1350788676.00000279F7560000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1350563942.00000279F7540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1350294630.00000279F7521000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1348739028.00000279F7300000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/#/properties/referenceBranch	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 0000000F.00000003.1531718548.00000279F89A7000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/outcomes/items	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestSponsoredIndex	firefox.exe, 0000000F.00000003.1397881177.00000279F9390000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000F.00000003.1543168957.0000027A014BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
https://ok.ru/	firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000F.00000003.1464946052.00000279FFE27000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/valueA	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/csvImport	firefox.exe, 0000000F.00000003.1397831971.00000279F9398000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000F.00000003.1529218455.0000027A00181000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.bbc.co.uk/	firefox.exe, 0000000F.00000003.1386143500.0000027A00058000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000F.00000003.1552536922.0000027A014BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1543168957.0000027A014BB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000F.00000003.1509144918.00000279FBB4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1508205902.00000279FFC2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2565207170.00000247619C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2564064929.000001CD283C3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 0000000F.00000003.1467822379.00000279F91F0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/1/itemshttp://mozilla.org/#/properties/branches/anyOf	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 0000000F.00000003.1543168957.0000027A014A3000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000F.00000003.1463507626.0000027A00E84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1543377155.0000027A00E84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504929210.0000027A00E84000.00000004.00000800.00020000.00000000.sdmp	false	high
https://shavar.services.mozilla.com/	firefox.exe, 0000000F.00000003.1498235079.0000027A02BD2000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 0000000F.00000003.1567445043.0000027A00107000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1509144918.00000279FBB4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1508205902.00000279FFC2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2565207170.0000024761912000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2564064929.000001CD28313000.00000004.00000800.00020000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.iqiyi.com/	firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1386143500.0000027A00058000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/featureI	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThresholdhttp://mozilla.org/#/propert	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/addonsFeatureGate	firefox.exe, 0000000F.00000003.1397881177.00000279F9390000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/#/properties/addonsShowLessFrequentlyCap	firefox.exe, 0000000F.00000003.1397881177.00000279F9390000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabled	firefox.exe, 0000000F.00000003.1397881177.00000279F9390000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000F.00000003.1508205902.00000279FFC66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1393555110.00000279FFC66000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/itemshttp://mozilla.org/#	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/localizations/anyOf/1http://mozilla.org/#/properties/enrollmentEndDa	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
https://account.bellmedia.c	firefox.exe, 0000000F.00000003.1511676842.00000279FAC7A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://youtube.com/	firefox.exe, 0000000F.00000003.1391957585.0000027A00129000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/enrollmentEndDate	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
https://login.microsoftonline.com	firefox.exe, 0000000F.00000003.1511676842.00000279FAC7A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.zhihu.com/	firefox.exe, 0000000F.00000003.1527625464.00000279FFCA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1393555110.00000279FFCA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1508205902.00000279FFCA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1546144482.00000279FFCA2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 0000000F.00000003.1465319537.00000279FFCD4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1393555110.00000279FFCD4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 0000000F.00000003.1465319537.00000279FFCD4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1393555110.00000279FFCD4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000F.00000003.1475839588.00000279FFD44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1379189910.00000279FFD47000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000F.00000003.1520235338.00000279F9BA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1567487329.00000279F9BA3000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/outcomes	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 0000000F.00000003.1391957585.0000027A00129000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/bucketConfig/properties/namespacehttp://mozilla.org/#/properties/out	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000F.00000003.1509550482.00000279FAD5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1548332876.00000279FAD61000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000F.00000003.1356988104.00000279F5A1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1471950877.00000279F5A32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1356683393.00000279F5A33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1357341575.00000279F5A33000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000F.00000003.1554239589.00000279F9628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.amazon.co.uk/	firefox.exe, 0000000F.00000003.1386143500.0000027A00058000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 0000000F.00000003.1348739028.00000279F7300000.00000004.00000800.00020000.00000000.sdmp	false	high
https://truecolors.firefox.com/	firefox.exe, 0000000F.00000003.1493815337.0000027A02BDB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000F.00000003.1508205902.00000279FFC66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1393555110.00000279FFC66000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.wykop.pl/	firefox.exe, 0000000F.00000003.1386143500.0000027A00058000.00000004.00000800.00020000.00000000.sdmp	false	high
https://vk.com/	firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.olx.pl/	firefox.exe, 0000000F.00000003.1527625464.00000279FFCA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1393555110.00000279FFCA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1508205902.00000279FFCA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1386143500.0000027A00058000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1546144482.00000279FFCA2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads	firefox.exe, 0000000F.00000003.1397831971.00000279F9398000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/	firefox.exe, 0000000F.00000003.1493815337.0000027A02BDB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestSponsoredIndexresource://normandy/lib/PreferenceRollouts	firefox.exe, 0000000F.00000003.1397881177.00000279F9390000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 0000000F.00000003.1464946052.00000279FFE27000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	firefox.exe, 0000000F.00000003.1464946052.00000279FFE27000.00000004.00000800.00020000.00000000.sdmp	false	high
https://watch.sling.com/	firefox.exe, 0000000F.00000003.1569230764.00000279F8AC7000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 0000000F.00000003.1375947181.00000279FFD47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1475839588.00000279FFD44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1379189910.00000279FFD47000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestShouldShowOnboardingDialog	firefox.exe, 0000000F.00000003.1397939891.00000279F9388000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/appId	firefox.exe, 0000000F.00000003.1398001710.00000279F9373000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/complete/	firefox.exe, 0000000F.00000003.1464515896.00000279FFE97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1523995739.00000279FFE9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1392156254.00000279FFE97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/	firefox.exe, 0000000F.00000003.1493815337.0000027A02BDB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarningElem	firefox.exe, 0000000F.00000003.1537198280.0000027A029EB000.00000004.00000800.00020000.00000000.sdmp	false	high
https://webextensions.settings.services.mozilla.com/v1	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts	firefox.exe, 0000000F.00000003.1379343244.00000279FFD40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1482903551.00000279FFD3F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/firefox/	firefox.exe, 00000011.00000002.2564030695.00000281EBF30000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.2562413153.0000024761780000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2563184421.000001CD28200000.00000002.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
151.101.1.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
142.250.181.142	youtube.com	United States	15169	GOOGLEUS	false
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561396
Start date and time:	2024-11-23 10:32:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@71/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 95% Number of executed functions: 42 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 35.164.125.63, 35.80.238.59, 52.12.64.98, 172.217.17.78, 88.221.134.209, 88.221.134.155, 172.217.17.42
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, e16604.g.akamaiedge.net, safebrowsing.googleapis.com, prod.fs.microsoft.com.akadns.net, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:33:24	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.1.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.65.91
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123 151.101.1.91

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6f4a5942-9bea-42d7-833d-41b2024515a8.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.175395741292121
Encrypted:	false
SSDEEP:	192:DMvMXCs3cbhbVbTbfbRbObtbyEl7nsrXJA6unSrDtTkd/S93:DFvcNhnzFSJMr+1nSrDhkd/c3
MD5:	C582A369B54D47513FAE70A13DC89E8B
SHA1:	5F54B3DA92787AA56823659789DC930B9C34E484
SHA-256:	4374E484A1F247AF1E31545E70FCB30594738171525633E05E40AEDAC6619A78
SHA-512:	6CAE77F17C258B6D70BD10C036BA9A29BE975A1D70516866AFF84523F990FAAF489698398531DA7083F056EAF18DA95D12E3A97B4E9D4D26547C8B23D7E5430B
Malicious:	false
Preview:	{"type":"uninstall","id":"6f4a5942-9bea-42d7-833d-41b2024515a8","creationDate":"2024-11-23T11:13:58.895Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6f4a5942-9bea-42d7-833d-41b2024515a8.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.175395741292121
Encrypted:	false
SSDEEP:	192:DMvMXCs3cbhbVbTbfbRbObtbyEl7nsrXJA6unSrDtTkd/S93:DFvcNhnzFSJMr+1nSrDhkd/c3
MD5:	C582A369B54D47513FAE70A13DC89E8B
SHA1:	5F54B3DA92787AA56823659789DC930B9C34E484
SHA-256:	4374E484A1F247AF1E31545E70FCB30594738171525633E05E40AEDAC6619A78
SHA-512:	6CAE77F17C258B6D70BD10C036BA9A29BE975A1D70516866AFF84523F990FAAF489698398531DA7083F056EAF18DA95D12E3A97B4E9D4D26547C8B23D7E5430B
Malicious:	false
Preview:	{"type":"uninstall","id":"6f4a5942-9bea-42d7-833d-41b2024515a8","creationDate":"2024-11-23T11:13:58.895Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.940382184350008
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLinc8P:8S+Oc+UAOdwiOdKeQjDLic8P
MD5:	24ACCD4B71A1E1B9B14AE01CD9168BE6
SHA1:	5854E952585281CB1F10912A98680CE05686B335
SHA-256:	A813A5F88D25DF7DFFAC09126D33848A4B2DEB8C9D83D865AE83B3A24AE800D1
SHA-512:	1100B692E111C951C58E1EB55B88E46682D87E826A9F7865B706421E2F79CC56C9AA55641EC13228C6090E4D25E8E0E66AE713AD992D624FE837C3D0C242CD01
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.940382184350008
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLinc8P:8S+Oc+UAOdwiOdKeQjDLic8P
MD5:	24ACCD4B71A1E1B9B14AE01CD9168BE6
SHA1:	5854E952585281CB1F10912A98680CE05686B335
SHA-256:	A813A5F88D25DF7DFFAC09126D33848A4B2DEB8C9D83D865AE83B3A24AE800D1
SHA-512:	1100B692E111C951C58E1EB55B88E46682D87E826A9F7865B706421E2F79CC56C9AA55641EC13228C6090E4D25E8E0E66AE713AD992D624FE837C3D0C242CD01
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6081
Entropy (8bit):	6.630563338660768
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1jWpN:JTx2x2t0FDJ4NF6ILPd+Md0k+ueN
MD5:	A9DF71DCDE531DCDC739F83DE1A7FE37
SHA1:	DED8298D70B7CCAABCD204F0750594867ED48FFD
SHA-256:	6DAA4AAAAA052B162DA22F625A30C80FC5539B9123BC4FF767338591CEE8E983
SHA-512:	354040F7E65C12909D5849487DD4B5C8921D22927C3B584D0C206B7BA545FDFFA1A1BEC64CE0A3057B9413EA336CF48AB8C03AA87505BF1A138BAE341F0F4148
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 27954 bytes
Category:	dropped
Size (bytes):	6081
Entropy (8bit):	6.630563338660768
Encrypted:	false
SSDEEP:	96:J2YbKsKNU2xWrp327tGmD4wBON6hCY9rI7hlJwgJVLd+MYE0pG+ml1jWpN:JTx2x2t0FDJ4NF6ILPd+Md0k+ueN
MD5:	A9DF71DCDE531DCDC739F83DE1A7FE37
SHA1:	DED8298D70B7CCAABCD204F0750594867ED48FFD
SHA-256:	6DAA4AAAAA052B162DA22F625A30C80FC5539B9123BC4FF767338591CEE8E983
SHA-512:	354040F7E65C12909D5849487DD4B5C8921D22927C3B584D0C206B7BA545FDFFA1A1BEC64CE0A3057B9413EA336CF48AB8C03AA87505BF1A138BAE341F0F4148
Malicious:	false
Preview:	mozLz40.2m....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07325247831702941
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zki:DLhesh7Owd4+ji
MD5:	AE805A90965FFAE9DC8EDFF628E4C427
SHA1:	900F1E6210F74CEE46ABDF50BECE39BDD03F2240
SHA-256:	21653E975F0CD91396B1080957B3CF15A2E9F1D76276F4AD4CD358A7B8073EBD
SHA-512:	3DBAAD3D48D429FBCCEE0EE36E07B898B79BA402D0779B0B6001E739C8DCAA22F6C5D3D48544F82C1C04F736404484CACD7E0A9BDE75EABB6DA962BF990F4367
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035455806264726504
Encrypted:	false
SSDEEP:	3:GtlstFEytqAH/a6kz27Z9ol1lstFEytqAH/a6kz27Zl/tT89//alEl:GtWtGQqY/+2lSl1WtGQqY/+2l789XuM
MD5:	05C81B89F32B97DA21D403B729B4DAE9
SHA1:	17830BBAC0CA9A82B065267F995F4F47C471204B
SHA-256:	34B661B12012DC6338A7E221B2183117DA37A7520532EA8D9035754D0B773479
SHA-512:	16F287919D2A2B85BD043BF6FBD8F613C83C5E3ED1769563F6A5A2EC6176AFD393E9F17934002EF5FF4FC146023FF4237E9BFA770799D7CD146A4383A2E3C5A6
Malicious:	false
Preview:	..-.....................Sv..%.So..^t.Z..Ap....B..-.....................Sv..%.So..^t.Z..Ap....B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03998118428817617
Encrypted:	false
SSDEEP:	3:Ol1V/aHyz/lollfP1a5Tn/57l8rEXsxdwhml8XW3R2:KT/uyz/l4d1Kntl8dMhm93w
MD5:	804226FD09CBE4FFAA7F53084D1D30E3
SHA1:	1ECAD9311861D0717EDC5FC1CBD4AF0C9E45E157
SHA-256:	EE1151A6033C8E2652492F0B89E60352DF37270D5020D4500D0351F387602413
SHA-512:	D1BA3F6E4F36F811774D4268DFE2E6570DD5A7E26D18096505A44739D4322AA7C7561D19BC76D17BFF6E39B125F5CA3B4E40472A5AF61971F675851D7EEDC423
Malicious:	false
Preview:	7....-............^t.Z.4....IW...........^t.Z...vSoS.%................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.47714398196833
Encrypted:	false
SSDEEP:	192:lHnSRkyYbBp6yNqUCaXo6VzArKNan5RHNBw8d9nSl:gehqUDZArG4PwS0
MD5:	C8128C83258E6E5056EBA62A1D31EBDF
SHA1:	6E282FE7B7B85B19AB2BE11B7CD3B8D32D951716
SHA-256:	61ECBA36BD7A4A83830068D586F64251669A6229DC4D73DC874F48E2C0ABC74B
SHA-512:	398098B3D1C84A2E6D41C55472C5C9F9B9622B2605FC9F9E366D71C18817810F2FA48E322A54F23A51C56B34B2B241457B83658A02C22BEBC9A135D514694F0C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732360409);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732360409);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732360409);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173236

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.47714398196833
Encrypted:	false
SSDEEP:	192:lHnSRkyYbBp6yNqUCaXo6VzArKNan5RHNBw8d9nSl:gehqUDZArG4PwS0
MD5:	C8128C83258E6E5056EBA62A1D31EBDF
SHA1:	6E282FE7B7B85B19AB2BE11B7CD3B8D32D951716
SHA-256:	61ECBA36BD7A4A83830068D586F64251669A6229DC4D73DC874F48E2C0ABC74B
SHA-512:	398098B3D1C84A2E6D41C55472C5C9F9B9622B2605FC9F9E366D71C18817810F2FA48E322A54F23A51C56B34B2B241457B83658A02C22BEBC9A135D514694F0C
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732360409);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732360409);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732360409);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173236

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.337876997133569
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSTUJILXnIgLf/pnxQwRlszT5sKhi06m3eHVVPNZTh6amhuj3pOOcU/:GUpOxUUJITZnR6F3etZTh645edsd
MD5:	3D064F2F74F8EF966831EE2F59D32CF6
SHA1:	98046971D2A825FF2D3839976E859622EB2788D6
SHA-256:	283A3ADE4B6B34F035C7DAD11F4537384A71C729BA26E70C85A4D25F90A0F6A8
SHA-512:	6CF3EF930E7FC0A2AE48B44091C39C5D67F817E413FD5A2C9B8CA304CF3D391C8DDF30A7A7301EC7336623703BECC880815B74F359386F95781A8D95B894C489
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{3664f946-d8a6-42db-a961-472d468396df}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732360413495,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`378197...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....385810,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.337876997133569
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSTUJILXnIgLf/pnxQwRlszT5sKhi06m3eHVVPNZTh6amhuj3pOOcU/:GUpOxUUJITZnR6F3etZTh645edsd
MD5:	3D064F2F74F8EF966831EE2F59D32CF6
SHA1:	98046971D2A825FF2D3839976E859622EB2788D6
SHA-256:	283A3ADE4B6B34F035C7DAD11F4537384A71C729BA26E70C85A4D25F90A0F6A8
SHA-512:	6CF3EF930E7FC0A2AE48B44091C39C5D67F817E413FD5A2C9B8CA304CF3D391C8DDF30A7A7301EC7336623703BECC880815B74F359386F95781A8D95B894C489
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{3664f946-d8a6-42db-a961-472d468396df}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732360413495,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`378197...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....385810,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1572
Entropy (8bit):	6.337876997133569
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSTUJILXnIgLf/pnxQwRlszT5sKhi06m3eHVVPNZTh6amhuj3pOOcU/:GUpOxUUJITZnR6F3etZTh645edsd
MD5:	3D064F2F74F8EF966831EE2F59D32CF6
SHA1:	98046971D2A825FF2D3839976E859622EB2788D6
SHA-256:	283A3ADE4B6B34F035C7DAD11F4537384A71C729BA26E70C85A4D25F90A0F6A8
SHA-512:	6CF3EF930E7FC0A2AE48B44091C39C5D67F817E413FD5A2C9B8CA304CF3D391C8DDF30A7A7301EC7336623703BECC880815B74F359386F95781A8D95B894C489
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{3664f946-d8a6-42db-a961-472d468396df}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732360413495,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..jUpdate...6,"startTim..`378197...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....385810,"originA

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036589402899867
Encrypted:	false
SSDEEP:	48:YrSAYSdeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycSd+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	C4EB8EE690DFDE1014D826E6D441A52E
SHA1:	B60BCF50586B5C88F4FE357CF4DF6280FB12921A
SHA-256:	9573D63160C876A3E2E289F342B69516FE9B93819BFBBC15B98BFCE3669E130A
SHA-512:	6F622E8D2AB95322FD5EF4971FE311A4AC3B607AF92455DD0A72791EA73E22F83E3C92EFB670A9D1E2B413765A6EBFEE77902416CFA13731967383262AFE54AE
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T11:13:13.093Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.036589402899867
Encrypted:	false
SSDEEP:	48:YrSAYSdeUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfAct:ycSd+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	C4EB8EE690DFDE1014D826E6D441A52E
SHA1:	B60BCF50586B5C88F4FE357CF4DF6280FB12921A
SHA-256:	9573D63160C876A3E2E289F342B69516FE9B93819BFBBC15B98BFCE3669E130A
SHA-512:	6F622E8D2AB95322FD5EF4971FE311A4AC3B607AF92455DD0A72791EA73E22F83E3C92EFB670A9D1E2B413765A6EBFEE77902416CFA13731967383262AFE54AE
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-23T11:13:13.093Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.591359908895862
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'112 bytes
MD5:	30e0a4341ef78b82f707de1f75554d8f
SHA1:	24b83e21c9e861202cba0f653fbdb480c2509d2f
SHA256:	9324205f06fb84bd07e372d2b405adede12597a5d18b42744aba08f72914c525
SHA512:	e3d83fd11036bd7c860fffd4330396905281c3d8b4127c7b95bd088cc3a5d8a99e75caac493e66caa7e618f2fd98f740eb24cd4ec1b339e3fa67b4f605c54122
SSDEEP:	12288:UqDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgarTj:UqDEvCTbMWu7rQYlBQcBiT6rprG8avj
TLSH:	71159E0273D1C062FFAB92334B5AF6515BBC69260123E61F13981DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67419CE5 [Sat Nov 23 09:14:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F6BB90BF343h
jmp 00007F6BB90BEC4Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6BB90BEE2Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F6BB90BEDFAh
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F6BB90C19EDh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F6BB90C1A38h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F6BB90C1A21h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa758	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa758	0xa800	23288e053a609b31bb581e8e01dcfec0	False	0.36681547619047616	data	5.611990449107219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1a20	data			1.0016447368421053
RT_GROUP_ICON	0xde1d8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde250	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde264	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde278	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde28c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde368	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 10:33:20.480480909 CET	49709	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:20.482037067 CET	49710	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:20.482059002 CET	443	49710	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:20.482206106 CET	49711	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:20.482228994 CET	443	49711	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:20.482356071 CET	49710	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:20.482573032 CET	49711	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:20.487826109 CET	49710	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:20.487840891 CET	443	49710	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:20.489897013 CET	49711	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:20.489923954 CET	443	49711	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:20.583080053 CET	49717	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:20.583110094 CET	443	49717	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:20.583252907 CET	49717	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:20.585369110 CET	49717	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:20.585383892 CET	443	49717	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:20.600523949 CET	80	49709	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:20.603735924 CET	49709	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:20.603921890 CET	49709	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:20.723562956 CET	80	49709	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:21.596239090 CET	49718	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:21.596292019 CET	443	49718	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:21.596860886 CET	49718	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:21.598882914 CET	49718	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:21.598913908 CET	443	49718	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:21.651212931 CET	49719	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:21.651333094 CET	443	49719	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:21.651552916 CET	49719	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:21.653604984 CET	49719	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:21.653650045 CET	443	49719	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:21.657052040 CET	49720	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:21.657083988 CET	443	49720	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:21.657360077 CET	49720	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:21.657502890 CET	49720	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:21.657525063 CET	443	49720	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:21.710094929 CET	49721	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:21.710135937 CET	443	49721	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:21.710212946 CET	49721	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:21.710488081 CET	49721	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:21.710504055 CET	443	49721	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:21.738116026 CET	80	49709	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:21.739330053 CET	49709	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:21.860379934 CET	80	49709	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:21.875107050 CET	49709	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:21.898192883 CET	443	49717	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:21.901796103 CET	49717	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:21.912525892 CET	49717	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:21.912540913 CET	443	49717	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:21.912698030 CET	49717	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:21.912874937 CET	443	49717	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:21.912944078 CET	49717	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:22.190377951 CET	443	49711	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:22.191056967 CET	443	49711	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:22.191540003 CET	49711	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.191566944 CET	443	49711	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:22.272664070 CET	443	49710	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:22.272783041 CET	49710	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.273669958 CET	443	49710	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:22.273772001 CET	49710	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.276951075 CET	49711	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.434988976 CET	49711	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.435030937 CET	443	49711	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:22.435120106 CET	49711	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.435229063 CET	443	49711	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:22.438256979 CET	49710	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.438319921 CET	443	49710	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:22.438364983 CET	49710	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.438595057 CET	443	49710	142.250.181.142	192.168.2.7
Nov 23, 2024 10:33:22.441602945 CET	49711	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.441621065 CET	49710	443	192.168.2.7	142.250.181.142
Nov 23, 2024 10:33:22.575774908 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:22.575889111 CET	49724	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:22.695336103 CET	80	49723	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:22.695358038 CET	80	49724	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:22.716479063 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:22.716485023 CET	49724	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:22.716753006 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:22.716924906 CET	49724	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:22.836328030 CET	80	49723	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:22.836342096 CET	80	49724	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:22.864716053 CET	443	49718	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:22.871332884 CET	443	49718	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:22.872718096 CET	443	49720	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:22.878199100 CET	49718	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:22.878784895 CET	49718	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:22.878793955 CET	49720	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:22.883956909 CET	49720	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:22.883974075 CET	443	49720	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:22.884229898 CET	443	49720	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:22.888068914 CET	49720	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:22.888206959 CET	443	49720	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:22.888221979 CET	49720	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:22.888228893 CET	443	49720	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:22.888309002 CET	49718	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:22.888324976 CET	443	49718	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:22.888396978 CET	49718	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:22.888478041 CET	443	49718	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:22.888571978 CET	49718	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:22.888612032 CET	49720	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:22.922190905 CET	443	49719	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:22.927330017 CET	443	49719	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:22.931391954 CET	49719	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:22.939152956 CET	49719	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:22.939174891 CET	443	49719	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:22.939337015 CET	443	49719	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:22.943240881 CET	49719	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:22.943268061 CET	443	49719	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:22.944232941 CET	49719	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:23.023994923 CET	443	49721	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:23.024108887 CET	49721	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:23.028578997 CET	49721	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:23.028594017 CET	443	49721	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:23.029021978 CET	443	49721	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:23.031666994 CET	49721	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:23.031883001 CET	443	49721	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:23.031975985 CET	49721	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:23.031985998 CET	443	49721	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:23.032345057 CET	49730	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:23.032437086 CET	443	49730	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:23.032551050 CET	49721	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:23.032835007 CET	49730	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:23.033087015 CET	49730	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:23.033122063 CET	443	49730	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:23.379923105 CET	49731	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:23.379940033 CET	443	49731	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:23.394068956 CET	49731	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:23.398797035 CET	49731	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:23.398808956 CET	443	49731	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:23.801362991 CET	80	49724	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:23.801750898 CET	49724	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:23.848387957 CET	80	49723	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:23.848773003 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:23.921505928 CET	80	49724	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:23.925052881 CET	49724	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:23.968699932 CET	80	49723	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:23.968765020 CET	49723	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:24.242835045 CET	443	49730	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:24.247332096 CET	443	49730	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:24.247416973 CET	49730	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:24.248208046 CET	49730	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:24.251133919 CET	49730	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:24.251164913 CET	443	49730	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:24.251719952 CET	443	49730	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:24.258599997 CET	49730	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:24.258704901 CET	49730	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:24.258846998 CET	443	49730	34.160.144.191	192.168.2.7
Nov 23, 2024 10:33:24.258912086 CET	49730	443	192.168.2.7	34.160.144.191
Nov 23, 2024 10:33:24.293116093 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:24.412998915 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:24.413080931 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:24.413270950 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:24.532783985 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:24.664062023 CET	443	49731	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:24.664083958 CET	443	49731	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:24.664161921 CET	49731	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:24.669121981 CET	49731	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:24.669131041 CET	443	49731	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:24.669316053 CET	49731	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:24.669529915 CET	443	49731	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:24.669809103 CET	49734	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:24.669853926 CET	443	49734	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:24.670780897 CET	49731	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:24.670844078 CET	49734	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:24.672435045 CET	49734	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:24.672451973 CET	443	49734	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:24.844744921 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:24.964397907 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:24.964488029 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:24.964706898 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:25.084995985 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:25.481878996 CET	49742	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:25.481903076 CET	443	49742	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:25.482076883 CET	49742	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:25.483545065 CET	49742	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:25.483561039 CET	443	49742	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:25.544326067 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:25.590415955 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:25.909867048 CET	443	49734	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:25.911216974 CET	49734	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:25.916344881 CET	49734	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:25.916358948 CET	443	49734	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:25.916537046 CET	49734	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:25.916596889 CET	443	49734	34.117.188.166	192.168.2.7
Nov 23, 2024 10:33:25.916667938 CET	49734	443	192.168.2.7	34.117.188.166
Nov 23, 2024 10:33:26.155035019 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:26.207751989 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:26.743256092 CET	443	49742	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:26.743341923 CET	49742	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:26.748728991 CET	49742	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:26.748739004 CET	443	49742	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:26.748843908 CET	443	49742	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:26.748851061 CET	49742	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:26.748856068 CET	443	49742	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:26.955334902 CET	443	49742	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:26.955413103 CET	49742	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:27.238344908 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:27.251163006 CET	49743	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:27.251197100 CET	443	49743	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:27.251357079 CET	49743	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:27.252837896 CET	49743	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:27.252849102 CET	443	49743	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:27.258153915 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:27.295722008 CET	49745	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:27.295768023 CET	443	49745	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:27.296207905 CET	49745	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:27.296400070 CET	49745	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:27.296417952 CET	443	49745	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:27.299434900 CET	49746	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:27.299448967 CET	443	49746	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:27.300169945 CET	49746	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:27.301594019 CET	49746	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:27.301604033 CET	443	49746	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:27.357953072 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:27.377767086 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:27.412189007 CET	49747	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:27.412218094 CET	443	49747	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:27.412600040 CET	49747	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:27.414433956 CET	49747	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:27.414443016 CET	443	49747	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:27.561985016 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:27.590930939 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:27.594160080 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:27.637363911 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:27.714096069 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:27.918446064 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:27.969556093 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:28.398319960 CET	49752	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.398430109 CET	443	49752	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:28.398693085 CET	49752	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.400105000 CET	49752	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.400132895 CET	443	49752	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:28.555094957 CET	443	49745	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:28.555210114 CET	49745	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:28.558460951 CET	49745	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:28.558484077 CET	443	49745	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:28.558818102 CET	443	49745	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:28.560106993 CET	443	49743	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:28.560173988 CET	49743	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:28.563460112 CET	49745	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:28.563577890 CET	49745	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:28.563648939 CET	443	49745	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:28.564094067 CET	49745	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:28.565239906 CET	49743	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:28.565252066 CET	443	49743	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:28.565304041 CET	49743	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:28.565433979 CET	443	49743	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:28.565532923 CET	49743	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:28.575773954 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:28.613296986 CET	443	49746	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:28.613374949 CET	49746	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.637306929 CET	49746	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.637320042 CET	443	49746	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:28.637402058 CET	49746	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.637574911 CET	443	49746	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:28.638339043 CET	49746	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.650845051 CET	49753	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.650896072 CET	443	49753	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:28.650988102 CET	49753	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.651103973 CET	49753	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:28.651122093 CET	443	49753	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:28.671844959 CET	443	49747	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:28.673830986 CET	49747	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:28.694613934 CET	49747	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:28.694633007 CET	443	49747	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:28.694885969 CET	443	49747	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:28.694916964 CET	49747	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:28.694930077 CET	443	49747	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:28.695184946 CET	49747	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:28.695511103 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:28.698975086 CET	49754	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:28.699043036 CET	443	49754	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:28.699254036 CET	49754	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:28.700706005 CET	49754	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:28.700725079 CET	443	49754	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:28.908582926 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:28.912173986 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:28.949837923 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:29.032104969 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:29.236130953 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:29.288487911 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:29.701284885 CET	443	49752	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:29.703692913 CET	49752	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:29.708580971 CET	49752	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:29.708620071 CET	443	49752	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:29.708690882 CET	49752	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:29.708754063 CET	443	49752	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:29.708846092 CET	49752	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:29.864454985 CET	443	49753	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:29.865195990 CET	49753	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:29.868129969 CET	49753	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:29.868153095 CET	443	49753	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:29.868505955 CET	443	49753	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:29.871301889 CET	49753	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:29.871417046 CET	49753	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:29.871507883 CET	443	49753	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:29.871592045 CET	49753	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:29.912301064 CET	443	49754	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:29.916497946 CET	49754	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:29.921219110 CET	49754	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:29.921233892 CET	443	49754	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:29.921333075 CET	49754	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:29.921447992 CET	443	49754	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:29.921663046 CET	49754	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.407068968 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:32.420893908 CET	49768	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.420934916 CET	443	49768	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:32.421705961 CET	49769	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.421750069 CET	443	49769	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:32.422631025 CET	49768	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.422755003 CET	49769	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.422805071 CET	49768	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.422822952 CET	443	49768	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:32.422905922 CET	49769	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.422919989 CET	443	49769	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:32.432457924 CET	49770	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.432476997 CET	443	49770	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:32.436686039 CET	49770	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.437153101 CET	49770	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.437169075 CET	443	49770	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:32.437469006 CET	49771	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:32.437510967 CET	443	49771	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:32.438304901 CET	49771	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:32.438446045 CET	49771	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:32.438462973 CET	443	49771	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:32.442428112 CET	49772	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.442444086 CET	443	49772	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:32.442770004 CET	49772	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.444159985 CET	49772	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:32.444173098 CET	443	49772	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:32.526582003 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:32.740159988 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:32.783242941 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:32.868181944 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:32.987679958 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:33.191641092 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:33.246911049 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:33.738594055 CET	443	49769	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:33.738709927 CET	49769	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:33.847223043 CET	443	49768	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:33.847309113 CET	49768	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:33.848408937 CET	443	49771	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:33.848509073 CET	49771	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:33.850927114 CET	443	49770	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:33.851038933 CET	49770	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:33.854450941 CET	443	49772	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:33.854629993 CET	49772	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.121213913 CET	49768	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.121248007 CET	443	49768	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.121588945 CET	443	49768	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.124459028 CET	49769	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.124494076 CET	443	49769	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.125487089 CET	443	49769	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.127713919 CET	49770	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.127732038 CET	443	49770	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.128071070 CET	443	49770	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.131181002 CET	49771	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:34.131202936 CET	443	49771	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:34.132110119 CET	443	49771	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:34.138060093 CET	49768	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.138282061 CET	443	49768	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.138333082 CET	49768	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.138345003 CET	443	49768	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.138650894 CET	49769	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.138667107 CET	49770	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.138849974 CET	49769	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.138854027 CET	49770	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.139015913 CET	443	49770	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.139134884 CET	443	49769	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.140258074 CET	49771	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:34.140342951 CET	49771	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:34.140705109 CET	443	49771	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:34.141832113 CET	49770	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.141846895 CET	49769	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.141858101 CET	49771	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:34.141885042 CET	49768	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.142045975 CET	49772	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.142056942 CET	443	49772	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.142132998 CET	49772	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.142257929 CET	443	49772	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:34.142647982 CET	49772	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:34.995557070 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:35.000066042 CET	49780	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:35.000129938 CET	443	49780	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:35.000586033 CET	49780	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:35.000848055 CET	49780	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:35.000865936 CET	443	49780	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:35.004137993 CET	49781	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:35.004163027 CET	443	49781	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:35.004776001 CET	49781	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:35.007469893 CET	49781	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:35.007481098 CET	443	49781	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:35.011576891 CET	49782	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:35.011584997 CET	443	49782	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:35.011975050 CET	49782	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:35.013986111 CET	49782	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:35.013998985 CET	443	49782	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:35.117615938 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:35.330797911 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:35.391206980 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:35.442902088 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:35.566205025 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:35.770282984 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:35.812580109 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:36.261344910 CET	443	49780	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:36.265906096 CET	443	49781	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:36.266266108 CET	49780	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:36.266273022 CET	49781	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:36.271533966 CET	443	49782	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:36.271744013 CET	49782	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:36.458137989 CET	49780	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:36.458168030 CET	443	49780	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:36.458677053 CET	443	49780	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:36.514774084 CET	49780	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:37.810158968 CET	49780	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:37.810205936 CET	49781	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:37.810251951 CET	443	49781	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:37.810365915 CET	49781	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:37.810491085 CET	49780	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:37.810545921 CET	443	49781	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:37.810564041 CET	443	49780	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:37.810969114 CET	49782	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:37.810982943 CET	443	49782	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:37.811033964 CET	49782	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:37.811474085 CET	49781	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:37.811496019 CET	49780	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:37.811533928 CET	443	49782	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:37.811774015 CET	49782	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:38.374927998 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:38.378870010 CET	49789	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:38.378901005 CET	443	49789	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:38.379354954 CET	49789	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:38.380750895 CET	49789	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:38.380762100 CET	443	49789	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:38.494699001 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:38.707787037 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:38.711450100 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:38.752553940 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:38.832204103 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:39.036489010 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:39.084696054 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:39.596986055 CET	443	49789	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:39.597079992 CET	49789	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:39.602591991 CET	49789	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:39.602603912 CET	443	49789	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:39.602703094 CET	49789	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:39.602849960 CET	443	49789	34.120.208.123	192.168.2.7
Nov 23, 2024 10:33:39.602933884 CET	49789	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:33:39.816561937 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:39.936907053 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:40.150151014 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:40.154158115 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:40.203505993 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:40.273811102 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:40.477927923 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:40.526544094 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:48.176023006 CET	49815	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:48.176126003 CET	443	49815	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:48.176831961 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:48.176865101 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:48.179100037 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:48.179106951 CET	49815	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:48.180684090 CET	49815	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:48.180706024 CET	443	49815	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:48.181948900 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:48.181961060 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:48.198122025 CET	49817	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:48.198132992 CET	443	49817	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:48.202692986 CET	49817	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:48.204370022 CET	49817	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:48.204384089 CET	443	49817	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:48.359417915 CET	49818	443	192.168.2.7	35.201.103.21
Nov 23, 2024 10:33:48.359457970 CET	443	49818	35.201.103.21	192.168.2.7
Nov 23, 2024 10:33:48.359865904 CET	49818	443	192.168.2.7	35.201.103.21
Nov 23, 2024 10:33:48.362027884 CET	49818	443	192.168.2.7	35.201.103.21
Nov 23, 2024 10:33:48.362040997 CET	443	49818	35.201.103.21	192.168.2.7
Nov 23, 2024 10:33:48.367791891 CET	49819	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:48.367839098 CET	443	49819	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:48.368011951 CET	49819	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:48.368011951 CET	49819	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:48.368058920 CET	443	49819	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:48.399817944 CET	49820	443	192.168.2.7	151.101.1.91
Nov 23, 2024 10:33:48.399856091 CET	443	49820	151.101.1.91	192.168.2.7
Nov 23, 2024 10:33:48.400144100 CET	49820	443	192.168.2.7	151.101.1.91
Nov 23, 2024 10:33:48.400144100 CET	49820	443	192.168.2.7	151.101.1.91
Nov 23, 2024 10:33:48.400181055 CET	443	49820	151.101.1.91	192.168.2.7
Nov 23, 2024 10:33:49.439584970 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:49.439657927 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:49.439974070 CET	443	49815	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:49.440145969 CET	49815	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:49.443037987 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:49.443056107 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:49.443300962 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:49.448147058 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:49.448255062 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:49.448308945 CET	443	49816	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:49.448605061 CET	49815	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:49.448617935 CET	443	49815	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:49.448673010 CET	49815	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:49.448888063 CET	443	49815	34.107.243.93	192.168.2.7
Nov 23, 2024 10:33:49.449060917 CET	49816	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:49.449076891 CET	49815	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:33:49.453155994 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:49.469111919 CET	443	49817	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:49.469192028 CET	49817	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:49.474572897 CET	49817	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:49.474579096 CET	443	49817	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:49.474689007 CET	49817	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:49.474782944 CET	443	49817	35.190.72.216	192.168.2.7
Nov 23, 2024 10:33:49.475429058 CET	49817	443	192.168.2.7	35.190.72.216
Nov 23, 2024 10:33:49.573761940 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:49.579803944 CET	443	49819	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.579921007 CET	49819	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.583218098 CET	49819	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.583230972 CET	443	49819	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.583575010 CET	443	49819	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.585582972 CET	49819	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.585692883 CET	49819	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.585753918 CET	443	49819	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.586728096 CET	49819	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.586766005 CET	49819	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.636285067 CET	443	49818	35.201.103.21	192.168.2.7
Nov 23, 2024 10:33:49.636486053 CET	49818	443	192.168.2.7	35.201.103.21
Nov 23, 2024 10:33:49.641174078 CET	49818	443	192.168.2.7	35.201.103.21
Nov 23, 2024 10:33:49.641190052 CET	443	49818	35.201.103.21	192.168.2.7
Nov 23, 2024 10:33:49.641273022 CET	49818	443	192.168.2.7	35.201.103.21
Nov 23, 2024 10:33:49.641457081 CET	443	49818	35.201.103.21	192.168.2.7
Nov 23, 2024 10:33:49.642064095 CET	49818	443	192.168.2.7	35.201.103.21
Nov 23, 2024 10:33:49.645893097 CET	49821	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:49.645936012 CET	443	49821	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:49.646131992 CET	49821	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:49.646258116 CET	49821	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:49.646271944 CET	443	49821	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:49.736188889 CET	443	49820	151.101.1.91	192.168.2.7
Nov 23, 2024 10:33:49.736264944 CET	49820	443	192.168.2.7	151.101.1.91
Nov 23, 2024 10:33:49.739649057 CET	49820	443	192.168.2.7	151.101.1.91
Nov 23, 2024 10:33:49.739660978 CET	443	49820	151.101.1.91	192.168.2.7
Nov 23, 2024 10:33:49.740056038 CET	443	49820	151.101.1.91	192.168.2.7
Nov 23, 2024 10:33:49.741885900 CET	49820	443	192.168.2.7	151.101.1.91
Nov 23, 2024 10:33:49.741988897 CET	49820	443	192.168.2.7	151.101.1.91
Nov 23, 2024 10:33:49.742032051 CET	443	49820	151.101.1.91	192.168.2.7
Nov 23, 2024 10:33:49.746052980 CET	49820	443	192.168.2.7	151.101.1.91
Nov 23, 2024 10:33:49.787014008 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:49.790692091 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:49.830719948 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:49.894058943 CET	49823	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.894151926 CET	443	49823	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.894248962 CET	49824	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.894293070 CET	443	49824	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.894414902 CET	49825	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.894455910 CET	443	49825	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.894485950 CET	49824	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.894496918 CET	49823	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.894607067 CET	49823	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.894627094 CET	443	49823	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.894714117 CET	49824	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.894731998 CET	443	49824	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.895159006 CET	49825	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.895298958 CET	49825	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:49.895319939 CET	443	49825	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:49.910752058 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:50.114936113 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:50.162862062 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:50.901685953 CET	443	49821	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:50.901767015 CET	49821	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:50.905663967 CET	49821	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:50.905680895 CET	443	49821	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:50.905927896 CET	443	49821	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:50.908915997 CET	49821	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:50.909075022 CET	49821	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:50.909106970 CET	443	49821	34.149.100.209	192.168.2.7
Nov 23, 2024 10:33:50.910670996 CET	49821	443	192.168.2.7	34.149.100.209
Nov 23, 2024 10:33:50.912993908 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:51.032593966 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:51.105401039 CET	443	49824	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.107898951 CET	49824	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.111291885 CET	49824	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.111320019 CET	443	49824	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.111566067 CET	443	49824	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.114547968 CET	49824	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.114675999 CET	49824	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.114717960 CET	443	49824	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.119076967 CET	49824	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.119076967 CET	49824	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.155471087 CET	443	49825	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.155580997 CET	49825	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.157788992 CET	443	49823	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.157907963 CET	49823	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.159605980 CET	49825	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.159619093 CET	443	49825	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.160022020 CET	443	49825	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.162379980 CET	49823	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.162410021 CET	443	49823	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.162671089 CET	443	49823	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.166321993 CET	49825	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.166451931 CET	49825	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.166546106 CET	49823	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.166649103 CET	49823	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.166930914 CET	443	49823	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.167004108 CET	443	49825	35.244.181.201	192.168.2.7
Nov 23, 2024 10:33:51.167048931 CET	49823	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.167068005 CET	49825	443	192.168.2.7	35.244.181.201
Nov 23, 2024 10:33:51.245928049 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:51.250345945 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:51.288320065 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:33:51.369879007 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:51.573801994 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:33:51.620429993 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:01.259077072 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:01.378582001 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:01.575553894 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:01.695887089 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:09.525605917 CET	49871	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:09.525650978 CET	443	49871	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:09.525970936 CET	49871	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:09.527499914 CET	49871	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:09.527523994 CET	443	49871	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:10.747699022 CET	443	49871	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:10.747924089 CET	49871	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:10.753951073 CET	49871	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:10.753959894 CET	443	49871	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:10.754106045 CET	49871	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:10.754148960 CET	443	49871	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:10.754559040 CET	49871	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:10.757242918 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:10.877738953 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:11.091149092 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:11.094929934 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:11.140213013 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:11.214716911 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:11.419528008 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:11.472345114 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:18.308510065 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.308543921 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.308756113 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.308852911 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.308881044 CET	49895	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.308892012 CET	443	49895	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.309005022 CET	49896	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.309050083 CET	443	49896	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.309187889 CET	49897	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.309242964 CET	443	49897	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.309303999 CET	49898	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.309324980 CET	443	49898	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.309832096 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.309858084 CET	49895	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.309861898 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.309870958 CET	49896	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.309870958 CET	49898	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.309878111 CET	49897	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.310152054 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.310165882 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.310317039 CET	49896	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.310368061 CET	443	49896	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.310390949 CET	49895	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.310400009 CET	443	49895	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.310468912 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.310503960 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.310537100 CET	49898	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.310564041 CET	443	49898	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:18.310605049 CET	49897	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:18.310631037 CET	443	49897	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.566714048 CET	443	49896	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.566800117 CET	49896	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.570739031 CET	49896	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.570759058 CET	443	49896	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.571048021 CET	443	49896	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.574094057 CET	49896	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.574263096 CET	49896	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.574268103 CET	443	49896	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.574282885 CET	443	49896	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.574861050 CET	49905	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.574907064 CET	443	49905	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.577593088 CET	49905	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.577828884 CET	49905	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.577843904 CET	443	49905	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.578775883 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.578975916 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.579823017 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.580540895 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.582619905 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.582632065 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.582876921 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:19.582923889 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.585165977 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.585180044 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.585490942 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.588773966 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.588881016 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.588968992 CET	443	49893	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.589329958 CET	49906	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.589363098 CET	443	49906	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.589518070 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.589615107 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.589693069 CET	443	49894	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.589811087 CET	49893	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.589845896 CET	49894	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.589993000 CET	49906	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.590122938 CET	49906	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.590132952 CET	443	49906	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.630100965 CET	443	49897	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.630186081 CET	49897	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.630315065 CET	443	49898	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.630378962 CET	49898	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.631469965 CET	443	49895	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.631535053 CET	49895	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.634552002 CET	49897	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.634557962 CET	443	49897	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.634768009 CET	443	49897	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.637906075 CET	49895	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.637923002 CET	443	49895	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.638278961 CET	443	49895	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.641104937 CET	49898	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.641136885 CET	443	49898	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.641396046 CET	443	49898	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.645298958 CET	49897	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.645427942 CET	49897	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.645448923 CET	443	49897	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.645704031 CET	49895	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.645770073 CET	49895	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.645914078 CET	443	49895	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.646420956 CET	49898	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.646492958 CET	49898	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.646591902 CET	443	49898	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.646615028 CET	49897	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.646622896 CET	49895	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.646677971 CET	49898	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.702537060 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:19.783333063 CET	443	49896	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:19.783487082 CET	49896	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:19.915530920 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:19.920247078 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:19.958050013 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:20.039921045 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:20.244220018 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:20.287144899 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:20.296681881 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:20.406990051 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:20.620362043 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:20.624495983 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:20.682193995 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:20.744182110 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:20.806931019 CET	443	49906	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:20.807199955 CET	49906	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.810226917 CET	49906	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.810242891 CET	443	49906	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:20.810616970 CET	443	49906	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:20.812946081 CET	49906	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.813060045 CET	49906	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.813098907 CET	443	49906	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:20.813237906 CET	49906	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.816576004 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:20.833451033 CET	443	49905	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:20.833532095 CET	49905	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.836360931 CET	49905	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.836371899 CET	443	49905	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:20.836582899 CET	443	49905	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:20.839332104 CET	49905	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.839416027 CET	49905	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.839482069 CET	443	49905	34.120.208.123	192.168.2.7
Nov 23, 2024 10:34:20.839890957 CET	49905	443	192.168.2.7	34.120.208.123
Nov 23, 2024 10:34:20.936084032 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:20.948303938 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:20.998779058 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:21.149523020 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:21.153095961 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:21.199496984 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:21.272660017 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:21.476598024 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:21.528698921 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:31.160705090 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:31.280375957 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:31.477341890 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:31.634419918 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:41.290209055 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:41.410003901 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:41.644346952 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:41.764175892 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:51.415848017 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:51.535656929 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:51.664081097 CET	49979	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:51.664203882 CET	443	49979	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:51.664464951 CET	49979	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:51.665936947 CET	49979	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:51.665975094 CET	443	49979	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:51.769988060 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:51.889744997 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:52.922838926 CET	443	49979	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:52.922909975 CET	49979	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:52.928006887 CET	49979	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:52.928020954 CET	443	49979	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:52.928123951 CET	49979	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:52.928203106 CET	443	49979	34.107.243.93	192.168.2.7
Nov 23, 2024 10:34:52.928380966 CET	49979	443	192.168.2.7	34.107.243.93
Nov 23, 2024 10:34:52.931226015 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:53.051233053 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:53.264985085 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:53.269601107 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:53.305641890 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:34:53.389288902 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:53.593318939 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:34:53.637790918 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:35:03.277105093 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:35:03.396961927 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:35:03.600214005 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:35:03.720009089 CET	80	49732	34.107.221.82	192.168.2.7
Nov 23, 2024 10:35:13.406374931 CET	49735	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:35:13.526896954 CET	80	49735	34.107.221.82	192.168.2.7
Nov 23, 2024 10:35:13.728883028 CET	49732	80	192.168.2.7	34.107.221.82
Nov 23, 2024 10:35:13.848475933 CET	80	49732	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 10:33:20.334481001 CET	49451	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:20.335658073 CET	61445	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:20.472829103 CET	53	61445	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:20.480668068 CET	51371	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:20.481988907 CET	56702	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:20.583123922 CET	62986	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:20.617805004 CET	53	51371	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:20.619278908 CET	53	56702	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:20.621468067 CET	57140	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:20.621803999 CET	56825	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:20.721476078 CET	53	62986	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:20.723330021 CET	54063	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:20.760639906 CET	53	57140	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:20.761205912 CET	53	56825	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:20.860794067 CET	53	54063	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.452286005 CET	51866	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.504772902 CET	56098	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.565756083 CET	56822	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.595062017 CET	53	51866	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.596549034 CET	57770	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.649426937 CET	53	56098	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.651233912 CET	51534	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.657121897 CET	65394	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.708527088 CET	53	56822	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.735305071 CET	53	57770	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.736238003 CET	52956	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.790124893 CET	53	51534	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.791014910 CET	54680	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.795352936 CET	53	65394	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.796093941 CET	61108	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.847459078 CET	50623	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.875550985 CET	53	52956	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.941781998 CET	53	61108	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.944106102 CET	53	54680	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:21.945382118 CET	51377	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.946456909 CET	50132	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:21.992647886 CET	53	50623	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:22.086044073 CET	53	51377	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:22.087719917 CET	53	50132	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:22.091461897 CET	51342	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:22.230386972 CET	53	51342	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:22.428380013 CET	51451	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:24.843539953 CET	55063	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:24.980722904 CET	53	55063	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:24.987479925 CET	54229	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:25.006386995 CET	65225	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:25.129162073 CET	53	54229	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:25.129935026 CET	57428	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:25.268026114 CET	53	57428	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:25.313487053 CET	51601	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:25.451615095 CET	53	51601	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:25.468218088 CET	51468	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:25.481908083 CET	57475	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:25.619023085 CET	53	57475	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:25.619846106 CET	55074	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:25.690376043 CET	53	51468	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:25.691301107 CET	53609	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:25.757560968 CET	53	55074	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:25.828283072 CET	53	53609	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:25.871357918 CET	53	52228	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:27.156285048 CET	55693	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:27.158755064 CET	62262	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:27.293989897 CET	53	55693	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:27.296082973 CET	53	62262	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:27.303360939 CET	62549	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:27.441395998 CET	53	62549	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:27.502144098 CET	51434	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:27.638972998 CET	53	51434	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.371690989 CET	59256	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.372081995 CET	50196	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.372414112 CET	62397	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.508747101 CET	53	59256	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.509836912 CET	61866	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.510452986 CET	53	50196	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.510854959 CET	53	62397	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.511157036 CET	63631	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.511965990 CET	58857	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.652750969 CET	53	61866	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.653661966 CET	52563	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.653898954 CET	53	63631	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.654524088 CET	60297	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.655596972 CET	53	58857	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.659787893 CET	62761	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.850089073 CET	53	60297	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.851104021 CET	59723	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.851471901 CET	53	52563	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.851768017 CET	53	62761	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.852056026 CET	52650	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.853776932 CET	57216	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.988646984 CET	53	59723	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.989639044 CET	61755	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:32.990447044 CET	53	52650	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.991224051 CET	53	57216	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:32.991259098 CET	61558	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:33.129327059 CET	53	61558	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:33.130158901 CET	57361	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:33.131650925 CET	53	61755	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:33.132333040 CET	64567	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:33.266896009 CET	53	57361	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:33.385113001 CET	53	64567	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:35.010993004 CET	49468	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:35.151091099 CET	53	49468	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:35.152949095 CET	62044	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:35.291222095 CET	53	62044	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:38.379249096 CET	64606	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:38.516501904 CET	53	64606	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.175225973 CET	56649	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.176018000 CET	64796	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.176830053 CET	54487	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.178909063 CET	54620	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.206106901 CET	60053	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.315310001 CET	53	56649	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.315375090 CET	53	54487	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.316356897 CET	53	54620	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.322840929 CET	54788	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.344604969 CET	53	60053	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.359873056 CET	55859	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.368274927 CET	64766	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.397221088 CET	53	64796	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.460201979 CET	53	54788	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.466032028 CET	54591	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.496871948 CET	53	55859	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.497962952 CET	61651	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.506150007 CET	53	64766	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.607969999 CET	53	54591	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.608911037 CET	60596	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:33:48.637660980 CET	53	61651	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:48.847637892 CET	53	60596	1.1.1.1	192.168.2.7
Nov 23, 2024 10:33:49.453598022 CET	56747	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:34:09.525698900 CET	50949	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:34:09.663661957 CET	53	50949	1.1.1.1	192.168.2.7
Nov 23, 2024 10:34:18.307831049 CET	62351	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:34:18.488631964 CET	53	62351	1.1.1.1	192.168.2.7
Nov 23, 2024 10:34:51.522566080 CET	59924	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:34:51.662853003 CET	53	59924	1.1.1.1	192.168.2.7
Nov 23, 2024 10:34:51.664417982 CET	61272	53	192.168.2.7	1.1.1.1
Nov 23, 2024 10:34:51.801668882 CET	53	61272	1.1.1.1	192.168.2.7
Nov 23, 2024 10:34:52.931474924 CET	59756	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 10:33:20.334481001 CET	192.168.2.7	1.1.1.1	0xeb22	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.335658073 CET	192.168.2.7	1.1.1.1	0x446f	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.480668068 CET	192.168.2.7	1.1.1.1	0x18a3	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.481988907 CET	192.168.2.7	1.1.1.1	0xd2b1	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.583123922 CET	192.168.2.7	1.1.1.1	0x87c0	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.621468067 CET	192.168.2.7	1.1.1.1	0x44b2	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:20.621803999 CET	192.168.2.7	1.1.1.1	0x1da2	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:20.723330021 CET	192.168.2.7	1.1.1.1	0x15ac	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:21.452286005 CET	192.168.2.7	1.1.1.1	0xbd8	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.504772902 CET	192.168.2.7	1.1.1.1	0xd283	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.565756083 CET	192.168.2.7	1.1.1.1	0x7383	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.596549034 CET	192.168.2.7	1.1.1.1	0x9d4	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.651233912 CET	192.168.2.7	1.1.1.1	0x49a4	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.657121897 CET	192.168.2.7	1.1.1.1	0x5d52	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.736238003 CET	192.168.2.7	1.1.1.1	0x1e57	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:21.791014910 CET	192.168.2.7	1.1.1.1	0x636c	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:21.796093941 CET	192.168.2.7	1.1.1.1	0x7588	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:21.847459078 CET	192.168.2.7	1.1.1.1	0x797f	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.945382118 CET	192.168.2.7	1.1.1.1	0x652a	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.946456909 CET	192.168.2.7	1.1.1.1	0x2370	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:22.091461897 CET	192.168.2.7	1.1.1.1	0x5a94	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:22.428380013 CET	192.168.2.7	1.1.1.1	0xd0f2	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:24.843539953 CET	192.168.2.7	1.1.1.1	0xe547	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:24.987479925 CET	192.168.2.7	1.1.1.1	0xda7d	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.006386995 CET	192.168.2.7	1.1.1.1	0xe6ba	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.129935026 CET	192.168.2.7	1.1.1.1	0xf724	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:25.313487053 CET	192.168.2.7	1.1.1.1	0xa33f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.468218088 CET	192.168.2.7	1.1.1.1	0x68d1	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.481908083 CET	192.168.2.7	1.1.1.1	0x5257	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.619846106 CET	192.168.2.7	1.1.1.1	0xf887	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:25.691301107 CET	192.168.2.7	1.1.1.1	0x65e3	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:27.156285048 CET	192.168.2.7	1.1.1.1	0x8f98	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:27.158755064 CET	192.168.2.7	1.1.1.1	0x9141	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:27.303360939 CET	192.168.2.7	1.1.1.1	0x413d	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:27.502144098 CET	192.168.2.7	1.1.1.1	0x6eb2	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:32.371690989 CET	192.168.2.7	1.1.1.1	0x4948	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.372081995 CET	192.168.2.7	1.1.1.1	0x3aef	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.372414112 CET	192.168.2.7	1.1.1.1	0x39b8	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.509836912 CET	192.168.2.7	1.1.1.1	0xe00d	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.511157036 CET	192.168.2.7	1.1.1.1	0xf7d7	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.511965990 CET	192.168.2.7	1.1.1.1	0x44f2	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.653661966 CET	192.168.2.7	1.1.1.1	0x82c1	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:32.654524088 CET	192.168.2.7	1.1.1.1	0xcf42	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:32.659787893 CET	192.168.2.7	1.1.1.1	0xbadb	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 23, 2024 10:33:32.851104021 CET	192.168.2.7	1.1.1.1	0x3bb7	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.852056026 CET	192.168.2.7	1.1.1.1	0x6537	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.853776932 CET	192.168.2.7	1.1.1.1	0xb828	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:32.989639044 CET	192.168.2.7	1.1.1.1	0x7fe	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.991259098 CET	192.168.2.7	1.1.1.1	0x7254	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:33.130158901 CET	192.168.2.7	1.1.1.1	0x4706	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:33.132333040 CET	192.168.2.7	1.1.1.1	0xa667	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:35.010993004 CET	192.168.2.7	1.1.1.1	0x26bb	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:35.152949095 CET	192.168.2.7	1.1.1.1	0xe3a9	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:38.379249096 CET	192.168.2.7	1.1.1.1	0xa090	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:48.175225973 CET	192.168.2.7	1.1.1.1	0x6aed	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:48.176018000 CET	192.168.2.7	1.1.1.1	0xc9f5	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.176830053 CET	192.168.2.7	1.1.1.1	0x37e3	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.178909063 CET	192.168.2.7	1.1.1.1	0x1a42	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.206106901 CET	192.168.2.7	1.1.1.1	0xf7ab	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.322840929 CET	192.168.2.7	1.1.1.1	0xd425	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:48.359873056 CET	192.168.2.7	1.1.1.1	0xceba	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.368274927 CET	192.168.2.7	1.1.1.1	0xc50b	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 23, 2024 10:33:48.466032028 CET	192.168.2.7	1.1.1.1	0x5ca3	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.497962952 CET	192.168.2.7	1.1.1.1	0x5b61	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:33:48.608911037 CET	192.168.2.7	1.1.1.1	0xa382	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 23, 2024 10:33:49.453598022 CET	192.168.2.7	1.1.1.1	0xffa9	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:34:09.525698900 CET	192.168.2.7	1.1.1.1	0x7744	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:34:18.307831049 CET	192.168.2.7	1.1.1.1	0xc080	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:34:51.522566080 CET	192.168.2.7	1.1.1.1	0xd80c	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:34:51.664417982 CET	192.168.2.7	1.1.1.1	0x3c24	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 23, 2024 10:34:52.931474924 CET	192.168.2.7	1.1.1.1	0x8c66	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 10:33:20.471211910 CET	1.1.1.1	192.168.2.7	0xeb22	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:20.471211910 CET	1.1.1.1	192.168.2.7	0xeb22	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.472829103 CET	1.1.1.1	192.168.2.7	0x446f	No error (0)	youtube.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.559264898 CET	1.1.1.1	192.168.2.7	0x6ed4	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.617805004 CET	1.1.1.1	192.168.2.7	0x18a3	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.619278908 CET	1.1.1.1	192.168.2.7	0xd2b1	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.721476078 CET	1.1.1.1	192.168.2.7	0x87c0	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:20.760639906 CET	1.1.1.1	192.168.2.7	0x44b2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 10:33:20.761205912 CET	1.1.1.1	192.168.2.7	0x1da2	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 23, 2024 10:33:21.595062017 CET	1.1.1.1	192.168.2.7	0xbd8	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.649426937 CET	1.1.1.1	192.168.2.7	0xd283	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:21.649426937 CET	1.1.1.1	192.168.2.7	0xd283	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.656094074 CET	1.1.1.1	192.168.2.7	0x388b	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:21.656094074 CET	1.1.1.1	192.168.2.7	0x388b	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.708527088 CET	1.1.1.1	192.168.2.7	0x7383	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:21.708527088 CET	1.1.1.1	192.168.2.7	0x7383	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:21.708527088 CET	1.1.1.1	192.168.2.7	0x7383	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.735305071 CET	1.1.1.1	192.168.2.7	0x9d4	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.790124893 CET	1.1.1.1	192.168.2.7	0x49a4	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.795352936 CET	1.1.1.1	192.168.2.7	0x5d52	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:21.992647886 CET	1.1.1.1	192.168.2.7	0x797f	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:22.086044073 CET	1.1.1.1	192.168.2.7	0x652a	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:22.086044073 CET	1.1.1.1	192.168.2.7	0x652a	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:22.087719917 CET	1.1.1.1	192.168.2.7	0x2370	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:22.230386972 CET	1.1.1.1	192.168.2.7	0x5a94	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 23, 2024 10:33:22.568466902 CET	1.1.1.1	192.168.2.7	0xd0f2	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:22.568466902 CET	1.1.1.1	192.168.2.7	0xd0f2	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:24.980722904 CET	1.1.1.1	192.168.2.7	0xe547	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:24.980722904 CET	1.1.1.1	192.168.2.7	0xe547	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:24.980722904 CET	1.1.1.1	192.168.2.7	0xe547	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.129162073 CET	1.1.1.1	192.168.2.7	0xda7d	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.431334972 CET	1.1.1.1	192.168.2.7	0xe6ba	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:25.451615095 CET	1.1.1.1	192.168.2.7	0xa33f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.474425077 CET	1.1.1.1	192.168.2.7	0xf1b5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.619023085 CET	1.1.1.1	192.168.2.7	0x5257	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:25.690376043 CET	1.1.1.1	192.168.2.7	0x68d1	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:27.292630911 CET	1.1.1.1	192.168.2.7	0x581a	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:27.292630911 CET	1.1.1.1	192.168.2.7	0x581a	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:27.293989897 CET	1.1.1.1	192.168.2.7	0x8f98	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:27.293989897 CET	1.1.1.1	192.168.2.7	0x8f98	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:27.411098003 CET	1.1.1.1	192.168.2.7	0xff31	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:27.441395998 CET	1.1.1.1	192.168.2.7	0x413d	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.508747101 CET	1.1.1.1	192.168.2.7	0x4948	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.510452986 CET	1.1.1.1	192.168.2.7	0x3aef	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:32.510452986 CET	1.1.1.1	192.168.2.7	0x3aef	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.510854959 CET	1.1.1.1	192.168.2.7	0x39b8	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:32.510854959 CET	1.1.1.1	192.168.2.7	0x39b8	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.652750969 CET	1.1.1.1	192.168.2.7	0xe00d	No error (0)	youtube-ui.l.google.com		172.217.21.46	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.653898954 CET	1.1.1.1	192.168.2.7	0xf7d7	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.655596972 CET	1.1.1.1	192.168.2.7	0x44f2	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.850089073 CET	1.1.1.1	192.168.2.7	0xcf42	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 23, 2024 10:33:32.851471901 CET	1.1.1.1	192.168.2.7	0x82c1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 10:33:32.851471901 CET	1.1.1.1	192.168.2.7	0x82c1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 10:33:32.851471901 CET	1.1.1.1	192.168.2.7	0x82c1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 10:33:32.851471901 CET	1.1.1.1	192.168.2.7	0x82c1	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 23, 2024 10:33:32.851768017 CET	1.1.1.1	192.168.2.7	0xbadb	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 23, 2024 10:33:32.988646984 CET	1.1.1.1	192.168.2.7	0x3bb7	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:32.988646984 CET	1.1.1.1	192.168.2.7	0x3bb7	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.988646984 CET	1.1.1.1	192.168.2.7	0x3bb7	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.988646984 CET	1.1.1.1	192.168.2.7	0x3bb7	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.988646984 CET	1.1.1.1	192.168.2.7	0x3bb7	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.990447044 CET	1.1.1.1	192.168.2.7	0x6537	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.990447044 CET	1.1.1.1	192.168.2.7	0x6537	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.990447044 CET	1.1.1.1	192.168.2.7	0x6537	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:32.990447044 CET	1.1.1.1	192.168.2.7	0x6537	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:33.129327059 CET	1.1.1.1	192.168.2.7	0x7254	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:33.129327059 CET	1.1.1.1	192.168.2.7	0x7254	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:33.129327059 CET	1.1.1.1	192.168.2.7	0x7254	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:33.129327059 CET	1.1.1.1	192.168.2.7	0x7254	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:33.131650925 CET	1.1.1.1	192.168.2.7	0x7fe	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:33.131650925 CET	1.1.1.1	192.168.2.7	0x7fe	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:33.131650925 CET	1.1.1.1	192.168.2.7	0x7fe	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:33.131650925 CET	1.1.1.1	192.168.2.7	0x7fe	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:35.151091099 CET	1.1.1.1	192.168.2.7	0x26bb	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.315375090 CET	1.1.1.1	192.168.2.7	0x37e3	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.316356897 CET	1.1.1.1	192.168.2.7	0x1a42	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:48.316356897 CET	1.1.1.1	192.168.2.7	0x1a42	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.344604969 CET	1.1.1.1	192.168.2.7	0xf7ab	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:48.344604969 CET	1.1.1.1	192.168.2.7	0xf7ab	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.366075993 CET	1.1.1.1	192.168.2.7	0x38fb	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:48.366075993 CET	1.1.1.1	192.168.2.7	0x38fb	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.397221088 CET	1.1.1.1	192.168.2.7	0xc9f5	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.397221088 CET	1.1.1.1	192.168.2.7	0xc9f5	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.397221088 CET	1.1.1.1	192.168.2.7	0xc9f5	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.397221088 CET	1.1.1.1	192.168.2.7	0xc9f5	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.496871948 CET	1.1.1.1	192.168.2.7	0xceba	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.607969999 CET	1.1.1.1	192.168.2.7	0x5ca3	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.607969999 CET	1.1.1.1	192.168.2.7	0x5ca3	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.607969999 CET	1.1.1.1	192.168.2.7	0x5ca3	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.607969999 CET	1.1.1.1	192.168.2.7	0x5ca3	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:48.847637892 CET	1.1.1.1	192.168.2.7	0xa382	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 10:33:48.847637892 CET	1.1.1.1	192.168.2.7	0xa382	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 10:33:48.847637892 CET	1.1.1.1	192.168.2.7	0xa382	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 10:33:48.847637892 CET	1.1.1.1	192.168.2.7	0xa382	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 23, 2024 10:33:49.598285913 CET	1.1.1.1	192.168.2.7	0xffa9	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:49.598285913 CET	1.1.1.1	192.168.2.7	0xffa9	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:49.892647028 CET	1.1.1.1	192.168.2.7	0xf8fc	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:49.892647028 CET	1.1.1.1	192.168.2.7	0xf8fc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:50.031920910 CET	1.1.1.1	192.168.2.7	0xe9d2	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:50.031920910 CET	1.1.1.1	192.168.2.7	0xe9d2	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:33:52.016594887 CET	1.1.1.1	192.168.2.7	0x324	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:33:52.016594887 CET	1.1.1.1	192.168.2.7	0x324	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:34:18.306200981 CET	1.1.1.1	192.168.2.7	0x53cc	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:34:51.662853003 CET	1.1.1.1	192.168.2.7	0xd80c	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:34:53.074359894 CET	1.1.1.1	192.168.2.7	0x8c66	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 23, 2024 10:34:53.074359894 CET	1.1.1.1	192.168.2.7	0x8c66	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49709	34.107.221.82	80	4412	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 10:33:20.603921890 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:21.738116026 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 13:59:07 GMT Age: 70454 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49723	34.107.221.82	80	4412	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 10:33:22.716753006 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:23.848387957 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Fri, 22 Nov 2024 19:15:19 GMT Age: 51484 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49724	34.107.221.82	80	4412	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 10:33:22.716924906 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:23.801362991 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Fri, 22 Nov 2024 13:59:07 GMT Age: 70456 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49732	34.107.221.82	80	4412	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 10:33:24.413270950 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:25.544326067 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30260 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:33:27.238344908 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:27.561985016 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30262 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:33:27.594160080 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:27.918446064 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30262 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:33:28.912173986 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:29.236130953 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30264 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:33:32.868181944 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:33.191641092 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30268 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:33:35.442902088 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:35.770282984 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30270 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:33:38.711450100 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:39.036489010 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30273 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:33:40.154158115 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:40.477927923 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30275 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:33:49.790692091 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:50.114936113 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30284 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:33:51.250345945 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:33:51.573801994 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30286 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:34:01.575553894 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:34:11.094929934 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:34:11.419528008 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30306 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:34:19.920247078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:34:20.244220018 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30315 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:34:20.624495983 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:34:20.948303938 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30315 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:34:21.153095961 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:34:21.476598024 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30316 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:34:31.477341890 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:34:41.644346952 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:34:51.769988060 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:34:53.269601107 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 23, 2024 10:34:53.593318939 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Sat, 23 Nov 2024 01:09:05 GMT Age: 30348 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 23, 2024 10:35:03.600214005 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:35:13.728883028 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49735	34.107.221.82	80	4412	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 10:33:24.964706898 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:26.155035019 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9928 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:33:27.258153915 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:27.590930939 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9930 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:33:28.575773954 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:28.908582926 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9931 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:33:32.407068968 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:32.740159988 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9935 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:33:34.995557070 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:35.330797911 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9938 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:33:38.374927998 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:38.707787037 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9941 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:33:39.816561937 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:40.150151014 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9942 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:33:49.453155994 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:49.787014008 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9952 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:33:50.912993908 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:33:51.245928049 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9954 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:34:01.259077072 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:34:10.757242918 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:34:11.091149092 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9973 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:34:19.582876921 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:34:19.915530920 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9982 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:34:20.287144899 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:34:20.620362043 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9983 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:34:20.816576004 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:34:21.149523020 CET	297	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 9983 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:34:31.160705090 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:34:41.290209055 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:34:51.415848017 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:34:52.931226015 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 23, 2024 10:34:53.264985085 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Sat, 23 Nov 2024 06:47:57 GMT Age: 10016 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 23, 2024 10:35:03.277105093 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 23, 2024 10:35:13.406374931 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	04:33:12
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x580000
File size:	922'112 bytes
MD5 hash:	30E0A4341EF78B82F707DE1F75554D8F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1370166084.0000000001398000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialFlusher, Description: Yara detected Credential Flusher, Source: 00000000.00000003.1306122064.0000000001394000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:33:12
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x270000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:33:12
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:33:15
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x270000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:33:15
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:33:15
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x270000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:33:15
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x330000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	04:33:15
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x270000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	04:33:15
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	04:33:15
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x270000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	04:33:15
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	04:33:15
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:33:16
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	04:33:16
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	17
Start time:	04:33:16
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84f6ef57-0988-4df9-9f07-232346996c27} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279e796e310 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	04:33:18
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3356 -parentBuildID 20230927232528 -prefsHandle 2928 -prefMapHandle 2924 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c75be7-75f4-4a06-81c5-dfb7a4c30b94} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279f9a20a10 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	04:33:24
Start date:	23/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4964 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4824 -prefMapHandle 4676 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aea218b3-2e7d-4cb6-ae19-516ad18c9688} 4412 "\\.\pipe\gecko-crash-server-pipe.4412" 279f7d60710 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	1578
Total number of Limit Nodes:	70

Executed Functions

Function 005842DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0058430D

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

GetCurrentProcess.KERNEL32(?,0061CB64,00000000,?,?), ref: 00584422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00584429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00584454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00584466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00584474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0058447B
GetSystemInfo.KERNEL32(?,?,?), ref: 005844A0

Strings

GetNativeSystemInfo, xrefs: 00584460
|O, xrefs: 005C36F8
kernel32.dll, xrefs: 0058444F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: cc82c0984d1d90c5a6b84cce867000f741a88a0274d1bf26ece448b3ff9e2f47
Instruction ID: f24090d46dfc5244c60db8a4701c82f595ca9602aa21dbdd9964189934ff8cc2
Opcode Fuzzy Hash: cc82c0984d1d90c5a6b84cce867000f741a88a0274d1bf26ece448b3ff9e2f47
Instruction Fuzzy Hash: 47A1C46190A3D4DFCB11D7A8B8617997FE67F37346F08B89DD841ABA32D2204648CB21

Function 005842A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005850AA,?,?,00000000,00000000), ref: 005842B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005850AA,?,?,00000000,00000000), ref: 005842C9
LoadResource.KERNEL32(?,00000000,?,?,005850AA,?,?,00000000,00000000,?,?,?,?,?,?,00584F20), ref: 005C35BE
SizeofResource.KERNEL32(?,00000000,?,?,005850AA,?,?,00000000,00000000,?,?,?,?,?,?,00584F20), ref: 005C35D3
LockResource.KERNEL32(005850AA,?,?,005850AA,?,?,00000000,00000000,?,?,?,?,?,?,00584F20,?), ref: 005C35E6

Strings

SCRIPT, xrefs: 005842BF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: cad36e7bc15630e9b1f31de005511e29bebbf0f8cb54ac8e2270116f5743bad2
Instruction ID: b40e2e6256f6a6a515d693fe4625aef3d6f7952a31154990097199285c15350b
Opcode Fuzzy Hash: cad36e7bc15630e9b1f31de005511e29bebbf0f8cb54ac8e2270116f5743bad2
Instruction Fuzzy Hash: B611AC74240705BFD7219BA5DC48F6B7FBAFBC9B65F14816AB803D6250DB71D8008A20

Function 005C2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00582B6B

Part of subcall function 00583A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00651418,?,00582E7F,?,?,?,00000000), ref: 00583A78

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00642224), ref: 005C2C10
ShellExecuteW.SHELL32(00000000,?,?,00642224), ref: 005C2C17

Strings

runas, xrefs: 005C2C0B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 33416781acd33eb3a89e19201b833320d2a5db14e68834e2374fa18e7b055675
Instruction ID: 0b491508a2026dab3f5bf217b09a99378fb95b1cc011c18883224409e0cc26b7
Opcode Fuzzy Hash: 33416781acd33eb3a89e19201b833320d2a5db14e68834e2374fa18e7b055675
Instruction Fuzzy Hash: 341184311093436AC714FF60D85AABE7FA5BBD5751F48682DF842760A2CF218A4AC712

Function 005ED4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005ED501
Process32FirstW.KERNEL32(00000000,?), ref: 005ED50F
Process32NextW.KERNEL32(00000000,?), ref: 005ED52F
CloseHandle.KERNELBASE(00000000), ref: 005ED5DC

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2e8322b624d18a43037348916453033c92aafe4c39a76c577b747c77ea7b26d2
Instruction ID: 1d7826604e2165d56f067213e23f36bf8dc6daf364cfc23fce35e80304846c77
Opcode Fuzzy Hash: 2e8322b624d18a43037348916453033c92aafe4c39a76c577b747c77ea7b26d2
Instruction Fuzzy Hash: 623170711083419FD305EF54C885AAFBFF8BFD9354F14092EF581961A1EB719948CBA2

Function 005EDBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,005C5222), ref: 005EDBCE
GetFileAttributesW.KERNELBASE(?), ref: 005EDBDD
FindFirstFileW.KERNEL32(?,?), ref: 005EDBEE
FindClose.KERNEL32(00000000), ref: 005EDBFA

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 3fe9c41fe3d6f74deb1e0f7f7b60cf4d159be8b62aae24c4d5b396d03aed0c91
Instruction ID: 1f9b8bf16723609e92d2d564fd31ad3d46e569b6300758f511f9cf2c3e34388e
Opcode Fuzzy Hash: 3fe9c41fe3d6f74deb1e0f7f7b60cf4d159be8b62aae24c4d5b396d03aed0c91
Instruction Fuzzy Hash: 22F0A73045051057C3246F789C0D4AE3B7DAE01374B248703F479C11E0EBB05D5489A6

Function 005A4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(005B28E9,?,005A4CBE,005B28E9,006488B8,0000000C,005A4E15,005B28E9,00000002,00000000,?,005B28E9), ref: 005A4D09
TerminateProcess.KERNEL32(00000000,?,005A4CBE,005B28E9,006488B8,0000000C,005A4E15,005B28E9,00000002,00000000,?,005B28E9), ref: 005A4D10
ExitProcess.KERNEL32 ref: 005A4D22

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3794420d857398fcf4ca178114ab82f5790685039b12b8862d55149fb9d456c8
Instruction ID: 382c434745a515a7df674e015cfbf9665b0bfe85614e4672b5db85b5b535e306
Opcode Fuzzy Hash: 3794420d857398fcf4ca178114ab82f5790685039b12b8862d55149fb9d456c8
Instruction Fuzzy Hash: 46E0B631040548ABCF11AF94DD0AA9C7F6AFB82795B148015FD159A122DB75EE42CE80

Function 0058BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#e, xrefs: 005D07CE

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#e
API String ID: 3964851224-683758580
Opcode ID: 515d803743117a840fda6bfe0aae1589ee1d286278ed9f89578c11b619fad51d
Instruction ID: 6823ba22a244315f9b02a52eda9f1bd3f5f0fd27391bca23929509bea5e0fd88
Opcode Fuzzy Hash: 515d803743117a840fda6bfe0aae1589ee1d286278ed9f89578c11b619fad51d
Instruction Fuzzy Hash: F4A24D706083419FD724DF18C484B2ABFE1BF89304F14996EE99A9B352D771EC45CBA2

Function 0060AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0060B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0060B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0060B1D4
_wcslen.LIBCMT ref: 0060B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0060B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0060B236
_wcslen.LIBCMT ref: 0060B332

Part of subcall function 005F05A7: GetStdHandle.KERNEL32(000000F6), ref: 005F05C6

_wcslen.LIBCMT ref: 0060B34B
_wcslen.LIBCMT ref: 0060B366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0060B3B6
GetLastError.KERNEL32(00000000), ref: 0060B407
CloseHandle.KERNEL32(?), ref: 0060B439
CloseHandle.KERNEL32(00000000), ref: 0060B44A
CloseHandle.KERNEL32(00000000), ref: 0060B45C
CloseHandle.KERNEL32(00000000), ref: 0060B46E
CloseHandle.KERNEL32(?), ref: 0060B4E3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: dc2619c05e95b73c2387b5d08189a4bbea53e7ec533920fbace744d74860ac0e
Instruction ID: 7220e8515eeed88c9ebd11f6a5f40cc5c09dcede3a11bb20b40d358975d22aa4
Opcode Fuzzy Hash: dc2619c05e95b73c2387b5d08189a4bbea53e7ec533920fbace744d74860ac0e
Instruction Fuzzy Hash: C4F18A316442419FCB18EF24C895B6FBBE6BF85310F18845DF8959B2A2DB31EC41CB52

Function 0058D730 Relevance: 21.6, APIs: 14, Instructions: 627windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0058D807
timeGetTime.WINMM ref: 0058DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0058DB28
TranslateMessage.USER32(?), ref: 0058DB7B
DispatchMessageW.USER32(?), ref: 0058DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0058DB9F
Sleep.KERNELBASE(0000000A), ref: 0058DBB1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 679bb464498248fb9432e4504b62d7f2185ed4289c08b2090da9aae3dcb6b541
Instruction ID: fa5707d371ff4b01a9b431c0d5ee551afa547331a73305ea63fa1f6db7a52095
Opcode Fuzzy Hash: 679bb464498248fb9432e4504b62d7f2185ed4289c08b2090da9aae3dcb6b541
Instruction Fuzzy Hash: 3042C070604342AFD738EF28C858BAABFF1BF95314F14895AE85597391D770E844CBA2

Function 00582CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00582D07
RegisterClassExW.USER32(00000030), ref: 00582D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00582D42
InitCommonControlsEx.COMCTL32(?), ref: 00582D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00582D6F
LoadIconW.USER32(000000A9), ref: 00582D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00582D94

Strings

0, xrefs: 00582CE9
AutoIt v3 GUI, xrefs: 00582D23
TaskbarCreated, xrefs: 00582D37
+, xrefs: 00582CF0

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9b00447ee12522577d71d42b8455da9e9ff7d3ed3a779989538c835708a9e94c
Instruction ID: 5eef7c4d45eb9a3cf2ab69df0a3095ec05c812ae80d1d0651f5ba549e918e743
Opcode Fuzzy Hash: 9b00447ee12522577d71d42b8455da9e9ff7d3ed3a779989538c835708a9e94c
Instruction Fuzzy Hash: 2821F2B5D41308AFDB00DFA4EC89BDDBBB6FB09712F04A11AF911AA2A0D7B14540CF90

Function 005C065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005C039A: CreateFileW.KERNELBASE(00000000,00000000,?,005C0704,?,?,00000000,?,005C0704,00000000,0000000C), ref: 005C03B7

GetLastError.KERNEL32 ref: 005C076F
__dosmaperr.LIBCMT ref: 005C0776
GetFileType.KERNELBASE(00000000), ref: 005C0782
GetLastError.KERNEL32 ref: 005C078C
__dosmaperr.LIBCMT ref: 005C0795
CloseHandle.KERNEL32(00000000), ref: 005C07B5
CloseHandle.KERNEL32(?), ref: 005C08FF
GetLastError.KERNEL32 ref: 005C0931
__dosmaperr.LIBCMT ref: 005C0938

Strings

H, xrefs: 005C08BD

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 021dd45b0b4acf019a1631e5744f84d91d12be3d35ca9823209358759ad83d2c
Instruction ID: 5777cbeaed1fa9b7b0b5d8badc4fda5bbbc5b9a31a21f360a0ef88c12e029037
Opcode Fuzzy Hash: 021dd45b0b4acf019a1631e5744f84d91d12be3d35ca9823209358759ad83d2c
Instruction Fuzzy Hash: 68A11136A002098FDF19EFA8DC55BAE7FA1FB46320F14515DF811AB2D1DB319912CB91

Function 0058344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00583A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00651418,?,00582E7F,?,?,?,00000000), ref: 00583A78

Part of subcall function 00583357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00583379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0058356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005C318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005C31CE
RegCloseKey.ADVAPI32(?), ref: 005C3210
_wcslen.LIBCMT ref: 005C3277
_wcslen.LIBCMT ref: 005C3286

Strings

\Include\, xrefs: 00583527
Include, xrefs: 005C3184, 005C31C5
\, xrefs: 005C328C
Software\AutoIt v3\AutoIt, xrefs: 00583560

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: d090db0f5ad7792856cdee0f217a368f6e537bfc1e92c86bbb57150f9bb30c95
Instruction ID: d70d36366c81274dce692f857efca7df4a24376d0c93debe90d6d48a26eac3ef
Opcode Fuzzy Hash: d090db0f5ad7792856cdee0f217a368f6e537bfc1e92c86bbb57150f9bb30c95
Instruction Fuzzy Hash: 09719E714083039EC704EF65DC969ABBFE9FF8A751F44582EF845A7160EB309A48CB52

Function 00582B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00582B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00582B9D
LoadIconW.USER32(00000063), ref: 00582BB3
LoadIconW.USER32(000000A4), ref: 00582BC5
LoadIconW.USER32(000000A2), ref: 00582BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00582BEF
RegisterClassExW.USER32(?), ref: 00582C40

Part of subcall function 00582CD4: GetSysColorBrush.USER32(0000000F), ref: 00582D07
Part of subcall function 00582CD4: RegisterClassExW.USER32(00000030), ref: 00582D31
Part of subcall function 00582CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00582D42
Part of subcall function 00582CD4: InitCommonControlsEx.COMCTL32(?), ref: 00582D5F
Part of subcall function 00582CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00582D6F
Part of subcall function 00582CD4: LoadIconW.USER32(000000A9), ref: 00582D85
Part of subcall function 00582CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00582D94

Strings

AutoIt v3, xrefs: 00582C2F
0, xrefs: 00582C0F
#, xrefs: 00582C16

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5d2033b5c2c368b466f9961d487460a9f8da2230d1c595ef6b23cb1db74c8757
Instruction ID: cb189c27d89a61826d12674bc861318db5fbf29583b348a590a28aab517f82ec
Opcode Fuzzy Hash: 5d2033b5c2c368b466f9961d487460a9f8da2230d1c595ef6b23cb1db74c8757
Instruction Fuzzy Hash: 9D215E70E40314AFDB10DFA5EC69BAD7FB6FB49B51F04615AF500AA6A0D3B10A40CF90

Function 0058B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0058BB4E

Strings

x#e, xrefs: 005D0168
p#e, xrefs: 0058BB6B
x#e, xrefs: 005D0207
p#e, xrefs: 0058BA72
p%e, xrefs: 0058B8DC
p#e, xrefs: 005D0263
p%e, xrefs: 0058BB32
p#e, xrefs: 005D024F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#e$p#e$p#e$p#e$p%e$p%e$x#e$x#e
API String ID: 1385522511-1966721020
Opcode ID: d988531f25d61be7a956cdae2afd94da2cb25804fa6aa040d1675a2d47942e17
Instruction ID: 25dc518241fa72b7b87c41d3137360b00a8fc442a79e1e165ded8c6bec3f24c2
Opcode Fuzzy Hash: d988531f25d61be7a956cdae2afd94da2cb25804fa6aa040d1675a2d47942e17
Instruction Fuzzy Hash: 52327D74A0020A9FEB24EF58C894BBEBBBAFF45310F14845AED05AB391D774AD41CB51

Function 00583170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0058316A,?,?), ref: 005831D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0058316A,?,?), ref: 00583204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00583227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0058316A,?,?), ref: 00583232
CreatePopupMenu.USER32 ref: 00583246
PostQuitMessage.USER32(00000000), ref: 00583267

Strings

TaskbarCreated, xrefs: 0058322D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 300621f119f725fdc8e69803439c01fd6b2e8b5a46699d1f0b16ac59a74703b6
Instruction ID: 0161df47a3d8d27a9bb7930a08d09205cd644a205c486499f314a888a046ba13
Opcode Fuzzy Hash: 300621f119f725fdc8e69803439c01fd6b2e8b5a46699d1f0b16ac59a74703b6
Instruction Fuzzy Hash: E3412735240205ABDB147B78DC2DBBD3E1AF746F11F045129FD02AA1E1C7A19A41C761

Function 00581410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00581459
CoUninitialize.COMBASE ref: 005814F8
UnregisterHotKey.USER32(?), ref: 005816DD
DestroyWindow.USER32(?), ref: 005C24B9
FreeLibrary.KERNEL32(?), ref: 005C251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 005C254B

Strings

close all, xrefs: 00581454

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 62bdda46c69168b65a30d15e27224fb47a824fd271d8f82077d84079073052a4
Instruction ID: fed8bb9a0b6f09fbcfe40515938bed178bdccc5ea5bcaee3d372bef8301a615f
Opcode Fuzzy Hash: 62bdda46c69168b65a30d15e27224fb47a824fd271d8f82077d84079073052a4
Instruction Fuzzy Hash: CBD179307016128FCB19EF55C899F69FBA9BF45710F1446ADE84ABB262DB30AC12CF54

Function 00582C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00582C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00582CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00581CAD,?), ref: 00582CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00581CAD,?), ref: 00582CCF

Strings

AutoIt v3, xrefs: 00582C89, 00582C8E, 00582C8F
edit, xrefs: 00582CAC

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: cf207025e39c0d86d3d2dc1ad347755986ebbbcefb0614e37983252362a14921
Instruction ID: 7fbd7b429cdbd3f94d60b68b4a0956ca542375893921ef6d928a4890dd95b864
Opcode Fuzzy Hash: cf207025e39c0d86d3d2dc1ad347755986ebbbcefb0614e37983252362a14921
Instruction Fuzzy Hash: 78F017755803907AEB204B23AC28FBB2EBED7C7F61F05601AF900EA1B0C2610840DAB0

Function 00583B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00583B0F,SwapMouseButtons,00000004,?), ref: 00583B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00583B0F,SwapMouseButtons,00000004,?), ref: 00583B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00583B0F,SwapMouseButtons,00000004,?), ref: 00583B83

Strings

Control Panel\Mouse, xrefs: 00583B3E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ea6cfb983ffcbc188121144c5440bc5e14cf679728ba55670d94a00b1c1675e9
Instruction ID: 385b3950b8914bc5bf56ad54ce5e93fdc4b15abf06ee8d914bfde9c651e529a7
Opcode Fuzzy Hash: ea6cfb983ffcbc188121144c5440bc5e14cf679728ba55670d94a00b1c1675e9
Instruction Fuzzy Hash: 26112AB5510208FFDB20DFA5DC45AEEBBB9FF04B96B10885AAC05E7110E2319F409760

Function 00583923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005C33A2

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00583A04

Strings

Line: , xrefs: 005C33EB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 803b60475e71501ad76c01b6decc4b1978145819de4e40d8f2c6d4c414dc85ce
Instruction ID: 8a89ced67267352b6d93cd6f88de2d8454d7cfba4a814c55b124bf951edb8f06
Opcode Fuzzy Hash: 803b60475e71501ad76c01b6decc4b1978145819de4e40d8f2c6d4c414dc85ce
Instruction Fuzzy Hash: 2F31E471408305AAC321FB10DC49BEF7BD8BB81B11F10492AF999A3091EF749649C7C2

Function 00582DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 005C2C8C

Part of subcall function 00583AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00583A97,?,?,00582E7F,?,?,?,00000000), ref: 00583AC2

Part of subcall function 00582DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00582DC4

Strings

`ed, xrefs: 005C2C85
X, xrefs: 005C2C5A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`ed
API String ID: 779396738-4220762877
Opcode ID: 1177d705236db378d0c4dc1374cc6ef663fdea82e8125f37c3ed36726616b388
Instruction ID: 52ad9268172b9074b8a161f28c0de841dfc1500cecd2b5b2e14b4f6ebeec7a27
Opcode Fuzzy Hash: 1177d705236db378d0c4dc1374cc6ef663fdea82e8125f37c3ed36726616b388
Instruction Fuzzy Hash: 30218171A002599FCF01EF94C849BEE7FF9BF89715F00805AE905B7241DBB45A498FA1

Function 0059FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 005A0668

Part of subcall function 005A32A4: RaiseException.KERNEL32(?,?,?,005A068A,?,00651444,?,?,?,?,?,?,005A068A,00581129,00648738,00581129), ref: 005A3304

__CxxThrowException@8.LIBVCRUNTIME ref: 005A0685

Strings

Unknown exception, xrefs: 005A0692

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: f5cd8f2b9b2293b92c59bc5f8ab3bbe98fcbfe18d0f4ac25b4cccfc63f009442
Instruction ID: e08f7cb109eded89d0f95696aad650032b683b6bb7dbf2e21618192b0d7b12f3
Opcode Fuzzy Hash: f5cd8f2b9b2293b92c59bc5f8ab3bbe98fcbfe18d0f4ac25b4cccfc63f009442
Instruction Fuzzy Hash: 79F0C234D0030E778F00BAA4E84AD9E7F6D7E82354B604531B814D65D1EF71EA65CAC0

Function 005810F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00581BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00581BF4
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00581BFC
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00581C07
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00581C12
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00581C1A
Part of subcall function 00581BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00581C22

Part of subcall function 00581B4A: RegisterWindowMessageW.USER32(00000004,?,005812C4), ref: 00581BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0058136A
OleInitialize.OLE32 ref: 00581388
CloseHandle.KERNEL32(00000000,00000000), ref: 005C24AB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 6833e6c0b030bda0bebd3241c40c0d77e5d9f919071606db5dd28bd4ad70045f
Instruction ID: 466e18b4a68c7affe4b8fa31b0fb9c186d65e9e3a32f5c7c10de0621e049b05d
Opcode Fuzzy Hash: 6833e6c0b030bda0bebd3241c40c0d77e5d9f919071606db5dd28bd4ad70045f
Instruction Fuzzy Hash: C871BBF49113018FC784EF79A8497993EE7BB8A356F14A62AD81ADF261FB304845CF44

Function 005EC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00583923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00583A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005EC259
KillTimer.USER32(?,00000001,?,?), ref: 005EC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005EC270

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 77ebb2ee64364d5b4dbaa4712dbfabbb3040584a72173326fbc201463267b025
Instruction ID: 4a5511a49e279151360f94c7b0f56fae35915d4af5e6e81aa98260025fbcb278
Opcode Fuzzy Hash: 77ebb2ee64364d5b4dbaa4712dbfabbb3040584a72173326fbc201463267b025
Instruction Fuzzy Hash: A431E374904384AFEB26DF748855BEBBFEDAF03304F04049AE2DAA7241C3749A85CB51

Function 005B86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,005B85CC,?,00648CC8,0000000C), ref: 005B8704
GetLastError.KERNEL32(?,005B85CC,?,00648CC8,0000000C), ref: 005B870E
__dosmaperr.LIBCMT ref: 005B8739

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: dc72487e7579a43a8e97b2a798bb4f979757e50fd7a5cd2c54cae9737ff77727
Instruction ID: 6c5a0deaba55fef077b157805b9e6eaa0b26d4f60304861beb08f9681f97a25d
Opcode Fuzzy Hash: dc72487e7579a43a8e97b2a798bb4f979757e50fd7a5cd2c54cae9737ff77727
Instruction Fuzzy Hash: 5601423260576016D764BB34A8497FE6F8D7BD1778F392519F8148B2D2ED61FC81C150

Function 0058DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0058DB7B
DispatchMessageW.USER32(?), ref: 0058DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0058DB9F
Sleep.KERNELBASE(0000000A), ref: 0058DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 005D1CC9

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: 27826fdab802070e7f4d768663756fa39a356578948d1d0dd7dc571318f155e2
Instruction ID: 34ce81130a2c1beef91fbbcf8e6d8f7cb7699be91a6fe4e5d37ee717f3fd8a18
Opcode Fuzzy Hash: 27826fdab802070e7f4d768663756fa39a356578948d1d0dd7dc571318f155e2
Instruction Fuzzy Hash: 9CF05E306543409BEB30DB60CC49FEA7BFAFB85311F10491AEA0A970D0DB7094488F25

Function 00591310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005917F6

Strings

CALL, xrefs: 005917C6

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e4dd3aef2aaf84f1e2ca8ffb66fe526310b4aa129c1bd2c26c043a5036a243c0
Instruction ID: c56742394416f03821cd86b74322fc770cb1a098532f6e8400c2796e941fb71c
Opcode Fuzzy Hash: e4dd3aef2aaf84f1e2ca8ffb66fe526310b4aa129c1bd2c26c043a5036a243c0
Instruction Fuzzy Hash: C2228B706087129FCB14DF18C484A2ABFF1BF89354F19895EF4968B3A2D731E845CB96

Function 00583837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00583908

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 5fc4a69336da646ab6ab2e7f37caa0061e9859e8a7ff1f0d8f45b29b6d6ae121
Instruction ID: b479db9a6ba2c375242703adea12e97d17af274fbc704fe47fc7a8093ff43de4
Opcode Fuzzy Hash: 5fc4a69336da646ab6ab2e7f37caa0061e9859e8a7ff1f0d8f45b29b6d6ae121
Instruction Fuzzy Hash: 1D3191706053019FD720EF64D89579BBFE8FB49B09F00092EF99AA7250E771AA44CF52

Function 0059F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0059F661

Part of subcall function 0058D730: GetInputState.USER32 ref: 0058D807

Sleep.KERNEL32(00000000), ref: 005DF2DE

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: e5a59d79f96d9a48260fea165d26ace77af8d19846bddef88bbbd55a17d37f76
Instruction ID: a8ebe7cc8aeb9cc9308e3ee2a68fb151faea61e1fbc74501e1b17d2a8f283573
Opcode Fuzzy Hash: e5a59d79f96d9a48260fea165d26ace77af8d19846bddef88bbbd55a17d37f76
Instruction Fuzzy Hash: F0F082712802069FD310FF69D849B5ABFE9FF85760F00402AE859D73A0DB70A800CB90

Function 0058ACEB Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d915012b75da43b795e6430f2bb655b1921eb85fb645829fa6989092fc081d4d
Instruction ID: 7cfad8757317058710b6d61fae52235d4f02ce92ff4fb254ab992ccdd9536f1a
Opcode Fuzzy Hash: d915012b75da43b795e6430f2bb655b1921eb85fb645829fa6989092fc081d4d
Instruction Fuzzy Hash: 5631D8711022018BEB35BE58C845F39BFA2BF81712F24482FE885EA552D765AC41DB52

Function 00584ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00584E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00584EDD,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E9C
Part of subcall function 00584E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00584EAE
Part of subcall function 00584E90: FreeLibrary.KERNEL32(00000000,?,?,00584EDD,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584EFD

Part of subcall function 00584E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,005C3CDE,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E62
Part of subcall function 00584E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00584E74
Part of subcall function 00584E59: FreeLibrary.KERNEL32(00000000,?,?,005C3CDE,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E87

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: db7c82177b1d80f09aeb0e5e6bc370770d4927aecb4b9b93a3ae3e464c34a13b
Instruction ID: 5b66b45c06cdecb54785fffa7cfd3e201beabac932645c593d3f8d0b8261bd13
Opcode Fuzzy Hash: db7c82177b1d80f09aeb0e5e6bc370770d4927aecb4b9b93a3ae3e464c34a13b
Instruction Fuzzy Hash: 8511C431640207AACB14BB60D80AFAD7FA5BF80714F10842EFD42B62D1EE709E459B50

Function 005B8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 005B8440

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: dcf11af2256ab4e96c5d3428c4c39ec5a7691a4b82b7b4156cff62948437954a
Instruction ID: e0bf300b80cb60a18fdc2d51d3fab9015ff687711c8d7964909c970b7fce748f
Opcode Fuzzy Hash: dcf11af2256ab4e96c5d3428c4c39ec5a7691a4b82b7b4156cff62948437954a
Instruction Fuzzy Hash: C811187590420AAFCF05DF58E945AEA7BF9FF48314F144059FC08AB312DA31EA11CBA5

Function 005B5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005B4C7D: RtlAllocateHeap.NTDLL(00000008,00581129,00000000,?,005B2E29,00000001,00000364,?,?,?,005AF2DE,005B3863,00651444,?,0059FDF5,?), ref: 005B4CBE

_free.LIBCMT ref: 005B506C

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: d76bf921141c3c21660a8cc88001d392b8181118eca4006d4b28b309c5709853
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 640126722047096BE3359E659889A9AFFE8FB89370F65091DE18493280EA30B805C6B4

Function 005AE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: a0444b00ea7ee91f8cd429178e8f7274adcaa71d5f8b245dce02478e19abf03b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: A4F0D632510A159AD6313A65AC0EB9E3F9CBF93370F100F15F425931D2DB70A8018AB5

Function 005B4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00581129,00000000,?,005B2E29,00000001,00000364,?,?,?,005AF2DE,005B3863,00651444,?,0059FDF5,?), ref: 005B4CBE

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 59e39706c94a8fc7f80cc809eb08b3d55dced5e007ed6f57371d71c43a25b578
Instruction ID: a1f7064cc459d9041bd0e46b3f29a054fbc9e2541c5fe07f0e948d347ce565bd
Opcode Fuzzy Hash: 59e39706c94a8fc7f80cc809eb08b3d55dced5e007ed6f57371d71c43a25b578
Instruction Fuzzy Hash: F2F0B43164222566DB315F629C09BDE3F89BF82BA1F144121F819AA283CA70FC004EE0

Function 005B3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 67e3c5da7b547b25e54a4266e791d7579402c932294848696a786bcb4b80f537
Instruction ID: 2bcd6d0c508733aeca064fb3a8c43826629b3ac88f81320907022e484ed0ba86
Opcode Fuzzy Hash: 67e3c5da7b547b25e54a4266e791d7579402c932294848696a786bcb4b80f537
Instruction Fuzzy Hash: 04E0E53114222566D72126AA9C05BDE3E49BF837B0F060031BC04B6590DB50FD0186E3

Function 00584F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584F6D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 728b36726fff80c6ed4169f989a83993506fe4f60a0b05dd06270620e473c048
Instruction ID: 3185740d2916e7d8662671992f078cd0b8458241b3f859f9e28e3a6c2e93c33c
Opcode Fuzzy Hash: 728b36726fff80c6ed4169f989a83993506fe4f60a0b05dd06270620e473c048
Instruction Fuzzy Hash: A2F01571105792CFDB34AF64E494826BBE4BF143293258E6EEAEA92621C7319844DF10

Function 00612A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00612A66

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 5fe27d1d946b980b440b1456546eee57cd1c35fd107e911ccaceeddfbbceba20
Instruction ID: 2fba0fb3c70c6bf4deeada186585e78817a1b472135ec01fa9f06ff5b15bb977
Opcode Fuzzy Hash: 5fe27d1d946b980b440b1456546eee57cd1c35fd107e911ccaceeddfbbceba20
Instruction Fuzzy Hash: E1E0DF3238011BAACB18EB30DC988FE7B4CEF90390704403AAC16C2100DB30A9A686E0

Function 005830F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0058314E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 15425eabeb42fee4fe9ab6373e8c6882111643a8b922d29d770ac931108e7322
Instruction ID: e444fe7ee18cc52d7509d76a7fceb6bca72bff31a9ffa703957e0e814b44b521
Opcode Fuzzy Hash: 15425eabeb42fee4fe9ab6373e8c6882111643a8b922d29d770ac931108e7322
Instruction Fuzzy Hash: 97F037709143189FEB52DB24DC4A7D97BFCB702708F0410E5A64896191D7745788CF51

Function 00582DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00582DC4

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 87cc12c3c0e99c64f0eb06b90598ebe7533794606cdcb2e8445336717508db0e
Instruction ID: 01497164bd4fa92cfcc46c20c20ce355728872ef9736cb3c481c6694f9cac36f
Opcode Fuzzy Hash: 87cc12c3c0e99c64f0eb06b90598ebe7533794606cdcb2e8445336717508db0e
Instruction Fuzzy Hash: 41E0CD726002245BC710A2989C09FDA77DDEFC8790F044075FD09E7248D970ED808650

Function 00582B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00583837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00583908

Part of subcall function 0058D730: GetInputState.USER32 ref: 0058D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00582B6B

Part of subcall function 005830F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0058314E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 4230fd488cdddad0a265c0b1054ffcb9120b324bd6d37394c7db7336078c091f
Instruction ID: ddd3343feaba8c4d0d47aea50f626be5649a9335901c19ebdfd109102893a3c6
Opcode Fuzzy Hash: 4230fd488cdddad0a265c0b1054ffcb9120b324bd6d37394c7db7336078c091f
Instruction Fuzzy Hash: 16E0263130120606CB04BB30A81A6BDBF9ABBD2752F00253EFC42A71A2CE204A494312

Function 005C039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,005C0704,?,?,00000000,?,005C0704,00000000,0000000C), ref: 005C03B7

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 6d43650bc6d9d3065cad9b1766e6b0dc6853de7d869794f9a766e1f5fb245a89
Instruction ID: ff84fe17a456e8673d3ebb581cee05b4ebe3ca756e471c994f49e7a6bdb8efd5
Opcode Fuzzy Hash: 6d43650bc6d9d3065cad9b1766e6b0dc6853de7d869794f9a766e1f5fb245a89
Instruction Fuzzy Hash: 18D06C3208010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C732E821AB90

Function 00581CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00581CBC

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 3b627f5b8a4776ec1a0e55772062209a33e36dfe42f76b64461205b0de443136
Instruction ID: 4a643fe5b2d2c7f337bfe960e83413bb83112a9608bbe96280db61247e97f6a2
Opcode Fuzzy Hash: 3b627f5b8a4776ec1a0e55772062209a33e36dfe42f76b64461205b0de443136
Instruction Fuzzy Hash: 9BC092362C0305AFF315CB80BC6AF547767A349B12F08A402F609A95F3D3A22830EA50

Non-executed Functions

Function 00619576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0061961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0061965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0061969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006196C9
SendMessageW.USER32 ref: 006196F2
GetKeyState.USER32(00000011), ref: 0061978B
GetKeyState.USER32(00000009), ref: 00619798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006197AE
GetKeyState.USER32(00000010), ref: 006197B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006197E9
SendMessageW.USER32 ref: 00619810
SendMessageW.USER32(?,00001030,?,00617E95), ref: 00619918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0061992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00619941
SetCapture.USER32(?), ref: 0061994A
ClientToScreen.USER32(?,?), ref: 006199AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006199BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006199D6
ReleaseCapture.USER32 ref: 006199E1
GetCursorPos.USER32(?), ref: 00619A19
ScreenToClient.USER32(?,?), ref: 00619A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00619A80
SendMessageW.USER32 ref: 00619AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00619AEB
SendMessageW.USER32 ref: 00619B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00619B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00619B4A
GetCursorPos.USER32(?), ref: 00619B68
ScreenToClient.USER32(?,?), ref: 00619B75
GetParent.USER32(?), ref: 00619B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00619BFA
SendMessageW.USER32 ref: 00619C2B
ClientToScreen.USER32(?,?), ref: 00619C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00619CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00619CDE
SendMessageW.USER32 ref: 00619D01
ClientToScreen.USER32(?,?), ref: 00619D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00619D82

Part of subcall function 00599944: GetWindowLongW.USER32(?,000000EB), ref: 00599952

GetWindowLongW.USER32(?,000000F0), ref: 00619E05

Strings

@GUI_DRAGID, xrefs: 0061997D
F, xrefs: 00619D07
p#e, xrefs: 00619990

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#e
API String ID: 3429851547-3604025434
Opcode ID: 005b339e550cc9e5134e0e56713855dd29a0395bcf4e68a1e50d2004105abac2
Instruction ID: a4bcae6ebff7d29014eb30cf77b1e86a3348197b82183bc4a70c879bb6247c9e
Opcode Fuzzy Hash: 005b339e550cc9e5134e0e56713855dd29a0395bcf4e68a1e50d2004105abac2
Instruction Fuzzy Hash: 56427E74604241EFE724CF24CC54BEABBF6FF89320F184619F699972A1D7319891CBA1

Function 00614873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 006148F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00614908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00614927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0061494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0061495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0061497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 006149AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 006149D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00614A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00614A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00614A7E
IsMenu.USER32(?), ref: 00614A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00614AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00614B20
GetWindowLongW.USER32(?,000000F0), ref: 00614B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00614BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00614C82
wsprintfW.USER32 ref: 00614CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00614CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00614CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00614D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00614D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00614D5A

Strings

%d/%02d/%02d, xrefs: 00614CA8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 36a0e5d0fc38314351384c083aafe4c854bea037f2cac1f5969637f7cca35bb7
Instruction ID: ddf598739a229b722288ad119daa978fd27585865c08255feb7cd65ba6870dc6
Opcode Fuzzy Hash: 36a0e5d0fc38314351384c083aafe4c854bea037f2cac1f5969637f7cca35bb7
Instruction Fuzzy Hash: 4612EF71600255AFEB248F28CC49FEE7BBAAF85710F18412AF515EB2A1DB749981CB50

Function 0059F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0059F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005DF474
IsIconic.USER32(00000000), ref: 005DF47D
ShowWindow.USER32(00000000,00000009), ref: 005DF48A
SetForegroundWindow.USER32(00000000), ref: 005DF494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005DF4AA
GetCurrentThreadId.KERNEL32 ref: 005DF4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005DF4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 005DF4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 005DF4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 005DF4DE
SetForegroundWindow.USER32(00000000), ref: 005DF4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 005DF4F6
keybd_event.USER32(00000012,00000000), ref: 005DF501
MapVirtualKeyW.USER32(00000012,00000000), ref: 005DF50B
keybd_event.USER32(00000012,00000000), ref: 005DF510
MapVirtualKeyW.USER32(00000012,00000000), ref: 005DF519
keybd_event.USER32(00000012,00000000), ref: 005DF51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 005DF528
keybd_event.USER32(00000012,00000000), ref: 005DF52D
SetForegroundWindow.USER32(00000000), ref: 005DF530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 005DF557

Strings

Shell_TrayWnd, xrefs: 005DF46F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3f401dc89b28c1ceb5276dba5671682eb6fb7e5fc16040678b61160adc12c615
Instruction ID: 276eb1b277b9b87a2b951f11aeac4ee9458ee4596756ae501c9b3a1154772691
Opcode Fuzzy Hash: 3f401dc89b28c1ceb5276dba5671682eb6fb7e5fc16040678b61160adc12c615
Instruction Fuzzy Hash: 12315271A80218BBEB316BB55C4AFBF7E6EEB44B60F145427F601E61D1C6B05D10ABA0

Function 005E1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 005E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005E170D
Part of subcall function 005E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005E173A
Part of subcall function 005E16C3: GetLastError.KERNEL32 ref: 005E174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 005E1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 005E12A8
CloseHandle.KERNEL32(?), ref: 005E12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005E12D1
GetProcessWindowStation.USER32 ref: 005E12EA
SetProcessWindowStation.USER32(00000000), ref: 005E12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005E1310

Part of subcall function 005E10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005E11FC), ref: 005E10D4
Part of subcall function 005E10BF: CloseHandle.KERNEL32(?,?,005E11FC), ref: 005E10E9

Strings

Zd, xrefs: 005E1392
, xrefs: 005E125A
winsta0, xrefs: 005E12CC
default, xrefs: 005E130B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Zd
API String ID: 22674027-3105207005
Opcode ID: bd6ea71a109e2d2396ad92bf3fce4a713e6633db7aff23af34f88c4c7a8f681b
Instruction ID: 2f21efa78bbefccdfefcab53927a0f6831206f613dd6d2cbc5e9e7191eb0e76b
Opcode Fuzzy Hash: bd6ea71a109e2d2396ad92bf3fce4a713e6633db7aff23af34f88c4c7a8f681b
Instruction Fuzzy Hash: AA81D071900689AFDF248FA5CC49FEE7FBAFF04700F18812AF951A62A0D7718944CB64

Function 005E0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005E1114
Part of subcall function 005E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1120
Part of subcall function 005E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E112F
Part of subcall function 005E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1136
Part of subcall function 005E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005E0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005E0C00
GetLengthSid.ADVAPI32(?), ref: 005E0C17
GetAce.ADVAPI32(?,00000000,?), ref: 005E0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005E0C6D
GetLengthSid.ADVAPI32(?), ref: 005E0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 005E0C8C
HeapAlloc.KERNEL32(00000000), ref: 005E0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005E0CB4
CopySid.ADVAPI32(00000000), ref: 005E0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005E0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005E0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005E0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0D45
HeapFree.KERNEL32(00000000), ref: 005E0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0D55
HeapFree.KERNEL32(00000000), ref: 005E0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0D65
HeapFree.KERNEL32(00000000), ref: 005E0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 005E0D78
HeapFree.KERNEL32(00000000), ref: 005E0D7F

Part of subcall function 005E1193: GetProcessHeap.KERNEL32(00000008,005E0BB1,?,00000000,?,005E0BB1,?), ref: 005E11A1
Part of subcall function 005E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005E0BB1,?), ref: 005E11A8
Part of subcall function 005E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005E0BB1,?), ref: 005E11B7

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 201909aac453e785b81d086f121911338f6e0243d9209daef81584f9b9abfb12
Instruction ID: c7de645d4e925f6c476b927d133dc06da941d938fd50834da5c6311d50534256
Opcode Fuzzy Hash: 201909aac453e785b81d086f121911338f6e0243d9209daef81584f9b9abfb12
Instruction Fuzzy Hash: 2E71BB7290024AEBDF14DFA5DD48FEEBBB9FF08310F089116E944A7190D7B5AA41CB60

Function 005FEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0061CC08), ref: 005FEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 005FEB37
GetClipboardData.USER32(0000000D), ref: 005FEB43
CloseClipboard.USER32 ref: 005FEB4F
GlobalLock.KERNEL32(00000000), ref: 005FEB87
CloseClipboard.USER32 ref: 005FEB91
GlobalUnlock.KERNEL32(00000000), ref: 005FEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 005FEBC9
GetClipboardData.USER32(00000001), ref: 005FEBD1
GlobalLock.KERNEL32(00000000), ref: 005FEBE2
GlobalUnlock.KERNEL32(00000000), ref: 005FEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 005FEC38
GetClipboardData.USER32(0000000F), ref: 005FEC44
GlobalLock.KERNEL32(00000000), ref: 005FEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 005FEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005FEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 005FECD2
GlobalUnlock.KERNEL32(00000000), ref: 005FECF3
CountClipboardFormats.USER32 ref: 005FED14
CloseClipboard.USER32 ref: 005FED59

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 544c59230d4481d6b4822d5c5cd89f5294ba58bf531b8888ab09fad752796a33
Instruction ID: 188b5aee2f2d82af9bbf79e34822412a3c1236bc6db5080b085952655bfe7f0f
Opcode Fuzzy Hash: 544c59230d4481d6b4822d5c5cd89f5294ba58bf531b8888ab09fad752796a33
Instruction Fuzzy Hash: 8F61BE342442069FD300EF24C88AF7A7BA5BF84714F18955EF986972B1CB35DD06CBA2

Function 005F698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005F69BE
FindClose.KERNEL32(00000000), ref: 005F6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005F6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005F6A75

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 005F6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 005F6ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 005F6B6A
%4d, xrefs: 005F6BB1
%02d, xrefs: 005F6C00, 005F6C0A, 005F6C5A, 005F6CAA, 005F6CFA, 005F6D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 005F6B32
%03d, xrefs: 005F6DA2

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 1a279bd803471cad75df1ac528661e9d68704a18d27c8879ddb0735efb5a507e
Instruction ID: 48bd5cfc4304d6f2807d9e622d8b8d917e5a38941462199503561bac8bca6301
Opcode Fuzzy Hash: 1a279bd803471cad75df1ac528661e9d68704a18d27c8879ddb0735efb5a507e
Instruction Fuzzy Hash: CED13072508305AAD710EB64C886EBFBBECBF98704F044919FA85D6191EB74DA44CB62

Function 005F9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 005F9663
GetFileAttributesW.KERNEL32(?), ref: 005F96A1
SetFileAttributesW.KERNEL32(?,?), ref: 005F96BB
FindNextFileW.KERNEL32(00000000,?), ref: 005F96D3
FindClose.KERNEL32(00000000), ref: 005F96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 005F96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 005F974A
SetCurrentDirectoryW.KERNEL32(00646B7C), ref: 005F9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 005F9772
FindClose.KERNEL32(00000000), ref: 005F977F
FindClose.KERNEL32(00000000), ref: 005F978F

Strings

*.*, xrefs: 005F96F5

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 284577d37bca5a52a38d6ad2570d6a90f0fc2d7574579c4bd745b6341bb9041c
Instruction ID: c0200c8c56ae6e681dd92c51f1c23b14ef6394a8ded856242767a747a21c4401
Opcode Fuzzy Hash: 284577d37bca5a52a38d6ad2570d6a90f0fc2d7574579c4bd745b6341bb9041c
Instruction Fuzzy Hash: 0931C33254161E6FDB10AFB4DC08BEE7BADEF4A321F148156FA15E2090EB38DE448A54

Function 005F979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 005F97BE
FindNextFileW.KERNEL32(00000000,?), ref: 005F9819
FindClose.KERNEL32(00000000), ref: 005F9824
FindFirstFileW.KERNEL32(*.*,?), ref: 005F9840
SetCurrentDirectoryW.KERNEL32(?), ref: 005F9890
SetCurrentDirectoryW.KERNEL32(00646B7C), ref: 005F98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 005F98B8
FindClose.KERNEL32(00000000), ref: 005F98C5
FindClose.KERNEL32(00000000), ref: 005F98D5

Part of subcall function 005EDAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005EDB00

Strings

*.*, xrefs: 005F983B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 734cd4a04790a22bedb360babcd05d946e21836da1e29bdb530408932d83f6fe
Instruction ID: f5455ff22ec9218bbd9e6f8fcdfcc2711524495936699fac72f809fb416bf51a
Opcode Fuzzy Hash: 734cd4a04790a22bedb360babcd05d946e21836da1e29bdb530408932d83f6fe
Instruction Fuzzy Hash: D031C331540A1E6EDB10AFB4DC48BEE7BADFF46370F148156FA10E2190DB74DE958A60

Function 0060BE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0060C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060C9F1
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA68
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060BF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0060BFA9
RegCloseKey.ADVAPI32(00000000), ref: 0060BFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0060C02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0060C0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0060C154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0060C1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0060C23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0060C2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0060C382
RegCloseKey.ADVAPI32(00000000), ref: 0060C38F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 504629bfbfd505481649ad820a7057fbf698ab1d07cf82f4c1813aa7e2d00feb
Instruction ID: 1b1cf6af27ab470de411a2d0f18daf7ffdeb2c9f196c4724a04008d4862e19f8
Opcode Fuzzy Hash: 504629bfbfd505481649ad820a7057fbf698ab1d07cf82f4c1813aa7e2d00feb
Instruction Fuzzy Hash: 77025B706042019FC718DF24C895A6ABBE6FF89318F18C59DE84ADB2A2DB31ED45CB51

Function 005F8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005F8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 005F8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005F8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005F8310
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8324
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005F838C
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8395

Strings

*.*, xrefs: 005F839B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: f985b0bf4c4b4fb7ceeb87921f25e5ba469dc24654071ccc956e7c16eec37b3b
Instruction ID: c937060db384f7707c344fd504566f9662f371a6d49f8b6d87ad61895a8da209
Opcode Fuzzy Hash: f985b0bf4c4b4fb7ceeb87921f25e5ba469dc24654071ccc956e7c16eec37b3b
Instruction Fuzzy Hash: A6618D7250430A9FD710EF60C8449AFBBE9FF89310F04891EFA9997251EB35E945CB92

Function 005ED076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00583AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00583A97,?,?,00582E7F,?,?,?,00000000), ref: 00583AC2

Part of subcall function 005EE199: GetFileAttributesW.KERNEL32(?,005ECF95), ref: 005EE19A

FindFirstFileW.KERNEL32(?,?), ref: 005ED122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 005ED1DD
MoveFileW.KERNEL32(?,?), ref: 005ED1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 005ED20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 005ED237

Part of subcall function 005ED29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,005ED21C,?,?), ref: 005ED2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 005ED253
FindClose.KERNEL32(00000000), ref: 005ED264

Strings

\*.*, xrefs: 005ED0CD, 005ED0D6, 005ED0EB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: af7d1662e8e70c8818d6411382bf769b027b8b5363a252b4e2ed235c42ac51b1
Instruction ID: 840911668559d9eed0e4abe78123590b36918568cc7da05977cb8fc06bc7e18a
Opcode Fuzzy Hash: af7d1662e8e70c8818d6411382bf769b027b8b5363a252b4e2ed235c42ac51b1
Instruction Fuzzy Hash: 45613A3180514EABCF09EBE1CA969FDBBB5BF95300F248165E84277191EB316F09CB61

Function 005FED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005FED91
EmptyClipboard.USER32 ref: 005FED97
GlobalAlloc.KERNEL32(00000002,?), ref: 005FEDAC
CloseClipboard.USER32 ref: 005FEEA3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: f2f63d619d78ce203f632e1e42fdb7e3a99a675a594a12ef74c9931462ac94f0
Instruction ID: 7e66d29193239e48288cfb7bbe748929237e95e9617bca7e2e98feda496d825d
Opcode Fuzzy Hash: f2f63d619d78ce203f632e1e42fdb7e3a99a675a594a12ef74c9931462ac94f0
Instruction Fuzzy Hash: F741BD31204211AFE720DF15E889B69BFE6FF44328F18C499E5158BA72C739ED41CB90

Function 005EE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005E16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005E170D
Part of subcall function 005E16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005E173A
Part of subcall function 005E16C3: GetLastError.KERNEL32 ref: 005E174A

ExitWindowsEx.USER32(?,00000000), ref: 005EE932

Strings

SeShutdownPrivilege, xrefs: 005EE902
@, xrefs: 005EE925
, xrefs: 005EE920
, xrefs: 005EE95C

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 01b7af787589faab982a601b9e309e0b360dddaac12726aa15380e9df2f76532
Instruction ID: 607a2a5fe554f9d4c7d106d130c4ae94a0e6931d901c517b112ddce9dc66ced1
Opcode Fuzzy Hash: 01b7af787589faab982a601b9e309e0b360dddaac12726aa15380e9df2f76532
Instruction Fuzzy Hash: AD012B72620252ABEB1C62B69C8BFFF7A9DB704750F154822F882E31D3D5A09C4481A4

Function 00601204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00601276
WSAGetLastError.WSOCK32 ref: 00601283
bind.WSOCK32(00000000,?,00000010), ref: 006012BA
WSAGetLastError.WSOCK32 ref: 006012C5
closesocket.WSOCK32(00000000), ref: 006012F4
listen.WSOCK32(00000000,00000005), ref: 00601303
WSAGetLastError.WSOCK32 ref: 0060130D
closesocket.WSOCK32(00000000), ref: 0060133C

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 13dabd180337bcf8141dd7c4b93a480433954c48657cb0cb97c540414b43483b
Instruction ID: 89ab2a6499acb10802d2379ebaa067e00d2255ebe15f1dab3549318c7eacd33a
Opcode Fuzzy Hash: 13dabd180337bcf8141dd7c4b93a480433954c48657cb0cb97c540414b43483b
Instruction Fuzzy Hash: 1341A3316401009FD714DF68C498B6ABBE6BF86328F188089E8569F3D2C771ED81CBE0

Function 005BB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005BB9D4
_free.LIBCMT ref: 005BB9F8
_free.LIBCMT ref: 005BBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00623700), ref: 005BBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0065121C,000000FF,00000000,0000003F,00000000,?,?), ref: 005BBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00651270,000000FF,?,0000003F,00000000,?), ref: 005BBC36
_free.LIBCMT ref: 005BBD4B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 839a75171226a780da6921b48f4f1d1e5c24d4d7b1f39e5bdc85219cded492ab
Instruction ID: da777104ad2862662764985b8c1f0adb3fe4cdd62c4127ebc29724bf167afffa
Opcode Fuzzy Hash: 839a75171226a780da6921b48f4f1d1e5c24d4d7b1f39e5bdc85219cded492ab
Instruction Fuzzy Hash: 03C1F771904206AFEB20DF698C55BEE7FB9FF82310F14459AE4949B251EBF0AE41C750

Function 005ED3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00583AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00583A97,?,?,00582E7F,?,?,?,00000000), ref: 00583AC2

Part of subcall function 005EE199: GetFileAttributesW.KERNEL32(?,005ECF95), ref: 005EE19A

FindFirstFileW.KERNEL32(?,?), ref: 005ED420
DeleteFileW.KERNEL32(?,?,?,?), ref: 005ED470
FindNextFileW.KERNEL32(00000000,00000010), ref: 005ED481
FindClose.KERNEL32(00000000), ref: 005ED498
FindClose.KERNEL32(00000000), ref: 005ED4A1

Strings

\*.*, xrefs: 005ED3F2

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bddce30d4decbac72c557fe0d649a045fdcc16b4537f478cb20e10939e067d65
Instruction ID: 0ca7b25a280e9be6dd201dc8b8ede6bdc470e07dea93727ba38b4eb06b07df6a
Opcode Fuzzy Hash: bddce30d4decbac72c557fe0d649a045fdcc16b4537f478cb20e10939e067d65
Instruction Fuzzy Hash: 6E3141710083869BC705FF64D8558AF7BA8BEE5314F444E1EF8D1A2191EB74AA09CB63

Function 005BE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 005BE645

Strings

1#IND, xrefs: 005BF83D
1#QNAN, xrefs: 005BF84B
1#SNAN, xrefs: 005BF844
1#INF, xrefs: 005BF852

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: ddcebba00323013182a80e126023b9e8fb4195b1ed1a435e2cdd9662a3fda1e9
Instruction ID: e4fd63280c89030dbf1c5529a34bd23abe49cf64fc010a3f1cd2c16684e3a0f2
Opcode Fuzzy Hash: ddcebba00323013182a80e126023b9e8fb4195b1ed1a435e2cdd9662a3fda1e9
Instruction Fuzzy Hash: 6DC24B71E086298FDB25CE28DD457EABBB5FB45304F1845EAD40EE7241E774AE818F40

Function 005F648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005F64DC
CoInitialize.OLE32(00000000), ref: 005F6639
CoCreateInstance.OLE32(0061FCF8,00000000,00000001,0061FB68,?), ref: 005F6650
CoUninitialize.OLE32 ref: 005F68D4

Strings

.lnk, xrefs: 005F64BA, 005F6524, 005F65E0

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: c1846a9adde095b8f5532419156fb68e7482e621a3851bdeea8c35c9e7b2eae1
Instruction ID: c063cc883c9e13cdcf384d00d5028f3c27be0c83a7ad6aa1367ad567dd36c587
Opcode Fuzzy Hash: c1846a9adde095b8f5532419156fb68e7482e621a3851bdeea8c35c9e7b2eae1
Instruction Fuzzy Hash: B0D16A71508206AFD304EF24C88596BBBE9FFD8304F54492DF595AB291EB70ED05CBA2

Function 006022DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 006022E8

Part of subcall function 005FE4EC: GetWindowRect.USER32(?,?), ref: 005FE504

GetDesktopWindow.USER32 ref: 00602312
GetWindowRect.USER32(00000000), ref: 00602319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00602355
GetCursorPos.USER32(?), ref: 00602381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006023DF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 5f1688d8391dcf9124316cb2498ddc4576955932747a9819a260c999cf055a43
Instruction ID: ab1b316dac8c5dd020aa2cb49b132e9f1e01473a97ea49c9bb955182e91fd483
Opcode Fuzzy Hash: 5f1688d8391dcf9124316cb2498ddc4576955932747a9819a260c999cf055a43
Instruction Fuzzy Hash: 8531D072544316AFC728DF14C849B9BBBAAFFC4320F00491AF98597291DB34E908CB92

Function 005F9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 005F9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 005F9C8B

Part of subcall function 005F3874: GetInputState.USER32 ref: 005F38CB
Part of subcall function 005F3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005F3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 005F9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 005F9C75

Strings

*.*, xrefs: 005F9B5D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: a5eb7bdcb32364771e5271a639251bf791c312922691566638a794cef431b654
Instruction ID: d75bb9764ecb1e9f1d95ea677de287a438a4e31c61db24669c5ff5b8d505d7a5
Opcode Fuzzy Hash: a5eb7bdcb32364771e5271a639251bf791c312922691566638a794cef431b654
Instruction Fuzzy Hash: 7E415A7194460EABDF14EFA4C889BEEBFB9FF45310F244056E905A2191EB349E84CF60

Function 0059997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00599A4E
GetSysColor.USER32(0000000F), ref: 00599B23
SetBkColor.GDI32(?,00000000), ref: 00599B36

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 46562560f825d0924ad2a586cd0125faacff4a91f782fc7355af54d5b3316b33
Instruction ID: 08240b040efd1de68abeb04b18874a78850b4e122485a3c835e4f6df2de44881
Opcode Fuzzy Hash: 46562560f825d0924ad2a586cd0125faacff4a91f782fc7355af54d5b3316b33
Instruction Fuzzy Hash: 89A1E870108548BFEF389A2C8C59EBF2E9EFB8A340F14450FF512D6691DA259D41D276

Function 00601806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0060304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0060307A
Part of subcall function 0060304E: _wcslen.LIBCMT ref: 0060309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0060185D
WSAGetLastError.WSOCK32 ref: 00601884
bind.WSOCK32(00000000,?,00000010), ref: 006018DB
WSAGetLastError.WSOCK32 ref: 006018E6
closesocket.WSOCK32(00000000), ref: 00601915

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0d1c8e975284087ebc5805624ac49f81861310c20c8045f1f7254fcb7d7f8969
Instruction ID: 981795c9d25d0484b300e6b4c49b92ab91b2abe8fbfd718381c7a13df3b9fdc0
Opcode Fuzzy Hash: 0d1c8e975284087ebc5805624ac49f81861310c20c8045f1f7254fcb7d7f8969
Instruction Fuzzy Hash: 7A51C871A402009FEB14AF24C88AF6A7BE6AF85718F18C458F9156F3C3D771AD41C7A1

Function 00611C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00611CC0
IsWindowEnabled.USER32 ref: 00611CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00611CDB
IsIconic.USER32 ref: 00611CE9
IsZoomed.USER32 ref: 00611CF7

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d66f002ea6d257967724bd8f8d5c4bc892a3f41c4f900e12c2c146590d7cc762
Instruction ID: 6acf43392ae5c07a44199a09976ce1251adc6c72df586195a38ab62072b2893f
Opcode Fuzzy Hash: d66f002ea6d257967724bd8f8d5c4bc892a3f41c4f900e12c2c146590d7cc762
Instruction Fuzzy Hash: 072191317802115FD7209F2AD854BEA7BA6AF86324B1D8059E9468F351CB75DC82CBD4

Function 00588060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 005883FA
ERCP, xrefs: 0058813C
VUUU, xrefs: 0058843C
VUUU, xrefs: 005C5DF0
VUUU, xrefs: 005883E8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 2ff76a2681b1d79c1ac3de2a3e3db3551d6438b67ba95db95c8ce2d866d3ede9
Instruction ID: 491027f652670556e8485ee690435c0581eb20c20a4bdd4d95c174cfb47dfc76
Opcode Fuzzy Hash: 2ff76a2681b1d79c1ac3de2a3e3db3551d6438b67ba95db95c8ce2d866d3ede9
Instruction Fuzzy Hash: 52A26D75A0061ACFDF24DF98C844BBDBBB1FB54314F6485A9DC15A7281EB70AE81CB90

Function 005E8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005E82AA

Strings

tbd, xrefs: 005E84F4
(, xrefs: 005E82F0
|, xrefs: 005E82DA

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbd$|
API String ID: 1659193697-2281384303
Opcode ID: 0ebbef25506cba8226d4f5292b2c071230598848c704097e67e44b5489c79602
Instruction ID: 36687b1695dda47d4f5f19ab276600f8fdeccfae298dbf81d885f57af7ea6da6
Opcode Fuzzy Hash: 0ebbef25506cba8226d4f5292b2c071230598848c704097e67e44b5489c79602
Instruction Fuzzy Hash: 83323675A007459FCB28CF59C481A6ABBF1FF48710B15C96EE49ADB3A1EB70E941CB40

Function 005EAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 005EAAAC
SetKeyboardState.USER32(00000080), ref: 005EAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 005EAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 005EAB88

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 8def8d29e86e611e94414bb2dcdd092de85fcd2bb1d5ae9ff355193c1132eec3
Instruction ID: 1ba267bee0fc2a2be7a6968f1ea42a35ae44203f3c3e4fadc758e1f84e745538
Opcode Fuzzy Hash: 8def8d29e86e611e94414bb2dcdd092de85fcd2bb1d5ae9ff355193c1132eec3
Instruction Fuzzy Hash: E9310B30A40388AEFB398B768C05BFA7FAFBB54310F08421AE1C1961D1D774A985C752

Function 005FCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 005FCE89
GetLastError.KERNEL32(?,00000000), ref: 005FCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 005FCEFE

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 0e57d7be7a0e518f775bd5f854976b85f17ba08eabab43d73b27cd8e2c839af7
Instruction ID: cf83f68e24155864b6ce8ce86c2136c50ea2800173a4301536b92d9d07bffd4b
Opcode Fuzzy Hash: 0e57d7be7a0e518f775bd5f854976b85f17ba08eabab43d73b27cd8e2c839af7
Instruction Fuzzy Hash: CA21AC7154030D9BDB21DF65CA48BAABFFDFF41314F10882AE74692151E778EA048B60

Function 005F5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005F5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 005F5D17
FindClose.KERNEL32(?), ref: 005F5D5F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b0b6cc3e19f41483e1607cdd274e51190fdf28ffb3950842b999b323b182443c
Instruction ID: ed7c4d3dd7285a2a1fab95a219b27f1015e237dc69d21ff389b73028c23f5cea
Opcode Fuzzy Hash: b0b6cc3e19f41483e1607cdd274e51190fdf28ffb3950842b999b323b182443c
Instruction Fuzzy Hash: CF519D746046069FC714DF28C498EAABBE4FF49324F14855EEA5ACB3A1DB34ED04CB91

Function 005B2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 005B271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005B2724
UnhandledExceptionFilter.KERNEL32(?), ref: 005B2731

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 15097454d037fffe52403947aa3aa88bff2a8185e43341a3ff019ad27f7656ff
Instruction ID: 0d04ebe54bdd74f41b2a9d8fe1856e587b5b06ae0793439f4337a4e35233ea2b
Opcode Fuzzy Hash: 15097454d037fffe52403947aa3aa88bff2a8185e43341a3ff019ad27f7656ff
Instruction Fuzzy Hash: A631D374951219ABCB21DF68DC897DCBBB8BF08310F5051EAE81CA7260EB309F818F54

Function 005F51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005F51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005F5238
SetErrorMode.KERNEL32(00000000), ref: 005F52A1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 73d3ade5fce315a026fc3a43ead4e8d789131517cf8f366341f5cb81734f7017
Instruction ID: 09e3331569ff23419a08b003f6436190c985690e3a12984ecfee85f1bcca4096
Opcode Fuzzy Hash: 73d3ade5fce315a026fc3a43ead4e8d789131517cf8f366341f5cb81734f7017
Instruction Fuzzy Hash: A5315E75A00519DFDB00EF54D888EADBFB5FF49318F088099E905AB362DB35E855CBA0

Function 005E16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0059FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005A0668
Part of subcall function 0059FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 005A0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005E170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005E173A
GetLastError.KERNEL32 ref: 005E174A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: c5b0afca9e8f650442843075d4343d6acb8adb6526a7e74d6412b9650e4116d6
Instruction ID: 318340333c1ec3de8c02813f6841c4cd9f6332c174df27aa8cdf2f52abadc808
Opcode Fuzzy Hash: c5b0afca9e8f650442843075d4343d6acb8adb6526a7e74d6412b9650e4116d6
Instruction Fuzzy Hash: 2411C1B2410305AFD718DF54DC86DAABBB9FB44724B24852EE09697641EB70BC41CB24

Function 005ED5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005ED608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 005ED645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 005ED650

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: acef2714d5d5c96e4a7a6e59448b39fb1153ab050bf33152c696f31641a95f2c
Instruction ID: e036f8c96553ea7d9bc7b5d86e0d2c04437cf445a5d64c8d5370fd61279ce038
Opcode Fuzzy Hash: acef2714d5d5c96e4a7a6e59448b39fb1153ab050bf33152c696f31641a95f2c
Instruction Fuzzy Hash: B8117C71E41228BBDB108F959C45FEFBFBCEB45B60F108112F914E7290C2704A018BA1

Function 005E1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 005E168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005E16A1
FreeSid.ADVAPI32(?), ref: 005E16B1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 542378499806413e1377e4216a3e8018cb367aba718e127a03880e3655c2eee8
Instruction ID: deb6f444337962e27b8a94111f3edce5ffc0379cf53b00dcdb113736385e5aa2
Opcode Fuzzy Hash: 542378499806413e1377e4216a3e8018cb367aba718e127a03880e3655c2eee8
Instruction Fuzzy Hash: 7AF04471980308FBDB00CFE08C89EAEBBBDFB08211F008561E500E2180E331AA448A50

Function 005BC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 005BC36C

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 45f8398025d8edaf059566d85373a82beede0c7ad81044cbbc92f06d6a07d9d2
Instruction ID: a22534281a1e611183abfe489914d6ddb9a2d3f16b0c832ddb9617850fc41d44
Opcode Fuzzy Hash: 45f8398025d8edaf059566d85373a82beede0c7ad81044cbbc92f06d6a07d9d2
Instruction Fuzzy Hash: CC413676900219ABCB209FB9CC89EFB7FB8FB84315F504669F905C7180E670AE818B54

Function 005DD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 005DD28C

Strings

X64, xrefs: 005DD2A8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 96e5baeb7c9804a4a818393a3abe370eee1836769a6ff5565ae7043a1cacc34e
Instruction ID: 013f13c8d0ebd0405d5e01b39d37b240851d260bc540603cd9c32d26caa0bde4
Opcode Fuzzy Hash: 96e5baeb7c9804a4a818393a3abe370eee1836769a6ff5565ae7043a1cacc34e
Instruction Fuzzy Hash: 41D0C9B480111DEACF94CB90DC88DDDB77CBB04345F104552F546A2100D73495489F20

Function 005ACAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 6221c3af6a85e1e8b93eaaf948e4eb4eacb09c30333b577f3f5bd2f5b894f9a2
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 38021A71E002199FDF14CFA9C8906ADBFF5FF89324F258169D819AB281D731AE418B94

Function 0058CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 005D0C40
p#e, xrefs: 0058CF7F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#e
API String ID: 0-1812669178
Opcode ID: 145d9b22de2aa3173424043b91da6e853a07dc199861cc4eefcf19f2a016fb34
Instruction ID: 95e262f6d87ce21db26183212fc87016fa72fc8b2ea6fcb89ef0aa6d97e4c0e0
Opcode Fuzzy Hash: 145d9b22de2aa3173424043b91da6e853a07dc199861cc4eefcf19f2a016fb34
Instruction Fuzzy Hash: AE3287709002199BDF24EF94D885BEDBFB9BF45308F14845AE806BB392D771AE45CB60

Function 005F68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005F6918
FindClose.KERNEL32(00000000), ref: 005F6961

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 38e6808836587552e98863dcc7c69283f5786fcf258d39f178130cf87c71f693
Instruction ID: d00de2560d95c3d859a66426b993c06ce130d6b8ee7e37b5a885ee3a74dee6a4
Opcode Fuzzy Hash: 38e6808836587552e98863dcc7c69283f5786fcf258d39f178130cf87c71f693
Instruction Fuzzy Hash: 3011D0316042059FD710DF29D488A2ABBE1FF88328F14C699E9698F3A2C774EC05CB90

Function 005F37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00604891,?,?,00000035,?), ref: 005F37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00604891,?,?,00000035,?), ref: 005F37F4

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 688bfc2cf6e4937598d17eccbf426db74720bcffcf87d1a8c10ed43be578f1fc
Instruction ID: 70080190c554e6ce550c6999c35e9dab3491f281241077c989a744ac0b0ab329
Opcode Fuzzy Hash: 688bfc2cf6e4937598d17eccbf426db74720bcffcf87d1a8c10ed43be578f1fc
Instruction Fuzzy Hash: FCF0E5B06052292AE72067A69C4DFEB3FAEFFC5771F000175F609E2281D9A09E44C7B0

Function 005EB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 005EB25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 005EB270

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 18caa4f9e9909a8ebfb0ddf2fed55099cc0b3f510da1622aeaefcb128ca1ef27
Instruction ID: f8977d83c0964085915becb0bb14308495f760fd04400c96a3d89db38dd75164
Opcode Fuzzy Hash: 18caa4f9e9909a8ebfb0ddf2fed55099cc0b3f510da1622aeaefcb128ca1ef27
Instruction Fuzzy Hash: ACF06D7580428DABEB058FA1C805BEE7FB0FF04315F04800AF951A5191C37982119F94

Function 005E10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005E11FC), ref: 005E10D4
CloseHandle.KERNEL32(?,?,005E11FC), ref: 005E10E9

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 532c41f7524e352450267af3012e86fa75ed3bbc54d43893b6318761ee28fa1f
Instruction ID: 88b4da2a3e8511341abf0e26e7bc6d365103b7d58f7ea8348fd94acac8c89000
Opcode Fuzzy Hash: 532c41f7524e352450267af3012e86fa75ed3bbc54d43893b6318761ee28fa1f
Instruction Fuzzy Hash: 22E04F32004611AFEB252B11FC09EB77BAAFB04320B24C82EF4A5804B1DB626C90DB14

Function 005B676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005B6766,?,?,00000008,?,?,005BFEFE,00000000), ref: 005B6998

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: a65b9e1ba35e6a05ff3bd6aff6d8e02255b8e4aa91fb9cc70120293c32d6c24e
Instruction ID: 27d867252388a72020d7a1d91cdce7bb77c2db3fbfccb88a3935918de450663d
Opcode Fuzzy Hash: a65b9e1ba35e6a05ff3bd6aff6d8e02255b8e4aa91fb9cc70120293c32d6c24e
Instruction Fuzzy Hash: 27B14D31510609DFDB15CF28C49ABA57FE0FF45364F298658E899CF2A2C739E991CB40

Function 0059B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 005D851F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 81842538650e180f5d441a6a2c709aeacfa0815bee31013ffccd473745ab6fec
Instruction ID: 2f72077838308da8e5541649f06e65c46021fbe2807b9c0bf14f44d62fbafceb
Opcode Fuzzy Hash: 81842538650e180f5d441a6a2c709aeacfa0815bee31013ffccd473745ab6fec
Instruction Fuzzy Hash: 55126E759002299BEF24CF58D9806FEBBB5FF48710F14859AE809EB251DB309E81DF90

Function 005FEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 005FEABD

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: aada066cbea5a4e4438703fc5fa98ea8bd19390e965f4c5d31f9f02c3b631435
Instruction ID: 4eefc893c6963d8f414f2e0335adf8c65cc2a0532491af5fc749678e325baac3
Opcode Fuzzy Hash: aada066cbea5a4e4438703fc5fa98ea8bd19390e965f4c5d31f9f02c3b631435
Instruction Fuzzy Hash: A7E01A312002059FD710EF5AD809E9ABFE9BF98760F008416FD49D7361DA74A8408BA0

Function 005A09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,005A03EE), ref: 005A09DA

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ca18e8a811150e7d80627374ed1773f5bed48ac27516b12ca2c97ef2e4a22842
Instruction ID: bbc8ae2edeed20caf3cc2372155c9f458b761bacf2bc33ff3dd3c15d0f362175
Opcode Fuzzy Hash: ca18e8a811150e7d80627374ed1773f5bed48ac27516b12ca2c97ef2e4a22842
Instruction Fuzzy Hash:

Function 005A781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 005A798B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 0c55453c488f158ff51b11e102765e7e4236917b14bb505209e022286bf8529c
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: A451677260C60F6FDB3885288C5D7BF2F89BB5F340F18091AD986D7282C619DE05D356

Function 005F2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&e, xrefs: 005F2053

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: 0&e
API String ID: 0-623651441
Opcode ID: cda38ff61e1e2ae6b795e341827ef7d39380d661f0f4ee5884b526b75fcb7d32
Instruction ID: 5e595ab6e8a1e9fb74bd7748a0cd6a4b8e7fbf6eb6c78320edc6cd1cf5d7964d
Opcode Fuzzy Hash: cda38ff61e1e2ae6b795e341827ef7d39380d661f0f4ee5884b526b75fcb7d32
Instruction Fuzzy Hash: 4321BB726606158BDB28CF79C82767E77E9B754310F15862EE4A7C37D0DE39A904C740

Function 005B6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526b7f42ab3d7a6955b3a8352e7aabc12dbe51a14a3c4e07c4069c37042e50ec
Instruction ID: 7849b1129253f5f8fd37160255fb6b949b0ddc5ad913cbb55be1de33345fdf73
Opcode Fuzzy Hash: 526b7f42ab3d7a6955b3a8352e7aabc12dbe51a14a3c4e07c4069c37042e50ec
Instruction Fuzzy Hash: 06320331D29F064DD7339634C832375AA89AFBB3C5F15D727E81AB59A6EB29D4834100

Function 0059CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36cea78516c26ec2a4f8c3e8c0f731822e3945c683e1c1a829e75467b43d9c9
Instruction ID: 21c824bf20f28d041718ee4681ed239dd710126aa987eb3044444233cba4c230
Opcode Fuzzy Hash: e36cea78516c26ec2a4f8c3e8c0f731822e3945c683e1c1a829e75467b43d9c9
Instruction Fuzzy Hash: 3732E132A401578BDF38CA6CC49467D7FA2FB45300F28896BD86ADB791D630DD81DB41

Function 00587920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb4b8b21870a663a649915e6c593a66c1badacb4a20e889a28bdc90fb4445ca
Instruction ID: 3c76f783885a7d5036fe3251945b6392a36304f2c67a08f8496a3730796308e0
Opcode Fuzzy Hash: 1fb4b8b21870a663a649915e6c593a66c1badacb4a20e889a28bdc90fb4445ca
Instruction Fuzzy Hash: 3E228E70A0460A9FDF14DFA4C885BAEBBB6FF48300F244529E816A7291FB35ED55CB50

Function 005891C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca1c9462519a6755c7b96aea71eeb91e48cf32b89fdcac6a334e97b65c1b682
Instruction ID: f59a5d69b062602973a71b0ebb32f71671363c3aaedc6d13f412da261ae2e95b
Opcode Fuzzy Hash: aca1c9462519a6755c7b96aea71eeb91e48cf32b89fdcac6a334e97b65c1b682
Instruction Fuzzy Hash: B40293B0A00206EFDF05DF54D886BADBBB5FF44304F148569E816EB291EB31AE11CB91

Function 005A1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 6b686fe2f103213615a455f0e4b037e24d77b0d2d45832b1545334db2e25212f
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 619164722084A34EDB29463E857403EFFE57B933B1B1A0B9ED4F2CA1C5FE248954D624

Function 005A19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8b2e5a2834b825b94b3fc2c718ae6c9415b49e2cdfd3a42ecb01e5b8aed9f44b
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: CC9144722098A34EDB2D467A957403EFFE16B933A2B1E079DD4F2CA1C1FD24C954D624

Function 005A7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ed5138a71769229229a5162e8c87b9e4ebd6132d2194d08fdca95436919993
Instruction ID: 694187f1a07caf95167f8d8183f6b1fa2280658e79457d3a443eadfde20c7b2a
Opcode Fuzzy Hash: a2ed5138a71769229229a5162e8c87b9e4ebd6132d2194d08fdca95436919993
Instruction Fuzzy Hash: CE613BB160870E66DE3499289DA9BBF2F94FF8F710F140D19E943DB281E6119E42C375

Function 005A7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ea2f7e1a228966a85b8d8aab0177aa6020b74704ae1a43335bffa1dfbeadd9
Instruction ID: 8322a2f277507fd89e13836e66e0022e353af713980f3b39a975fa0c682c0dd5
Opcode Fuzzy Hash: 88ea2f7e1a228966a85b8d8aab0177aa6020b74704ae1a43335bffa1dfbeadd9
Instruction Fuzzy Hash: DB616A7160870E67DE385A384C69BBF2F98FF9F704F140D59E943DB281EA12AD428355

Function 005A1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d72f6d6a7b523a2a34413de6d4d80464bd67b5f8cb73154d6f58fa66014a5596
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E58175726094A30DDB6D423A853443EFFE1BB933A1B1A079DD4F2CB1C1EE24C954E624

Function 00602ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00602B30
DeleteObject.GDI32(00000000), ref: 00602B43
DestroyWindow.USER32 ref: 00602B52
GetDesktopWindow.USER32 ref: 00602B6D
GetWindowRect.USER32(00000000), ref: 00602B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00602CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00602CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602CF8
GetClientRect.USER32(00000000,?), ref: 00602D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00602D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602D80
GlobalLock.KERNEL32(00000000), ref: 00602D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602D98
GlobalUnlock.KERNEL32(00000000), ref: 00602DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602DA8
GlobalFree.KERNEL32(00000000), ref: 00602DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0061FC38,00000000), ref: 00602DDB
GlobalFree.KERNEL32(00000000), ref: 00602DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00602E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00602E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00602E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0060303F

Strings

static, xrefs: 00602D3A, 00602E91
DISPLAY, xrefs: 00602EA2
AutoIt v3, xrefs: 00602CF2
, xrefs: 00602FC5

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 336bbb5b53e3087645a009400c29f8ebf3e8a1a3afc9960572f21c9fc3562be0
Instruction ID: f381747acf72381b336baf800c0ead7dd7a13281d4f2df21b3a6bf42b3d0d0ae
Opcode Fuzzy Hash: 336bbb5b53e3087645a009400c29f8ebf3e8a1a3afc9960572f21c9fc3562be0
Instruction Fuzzy Hash: 2B029B71540206AFDB14DF64CC9DEAE7BBAFF49721F048159F915AB2A0DB70AD01CB60

Function 006170D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0061712F
GetSysColorBrush.USER32(0000000F), ref: 00617160
GetSysColor.USER32(0000000F), ref: 0061716C
SetBkColor.GDI32(?,000000FF), ref: 00617186
SelectObject.GDI32(?,?), ref: 00617195
InflateRect.USER32(?,000000FF,000000FF), ref: 006171C0
GetSysColor.USER32(00000010), ref: 006171C8
CreateSolidBrush.GDI32(00000000), ref: 006171CF
FrameRect.USER32(?,?,00000000), ref: 006171DE
DeleteObject.GDI32(00000000), ref: 006171E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00617230
FillRect.USER32(?,?,?), ref: 00617262
GetWindowLongW.USER32(?,000000F0), ref: 00617284

Part of subcall function 006173E8: GetSysColor.USER32(00000012), ref: 00617421
Part of subcall function 006173E8: SetTextColor.GDI32(?,?), ref: 00617425
Part of subcall function 006173E8: GetSysColorBrush.USER32(0000000F), ref: 0061743B
Part of subcall function 006173E8: GetSysColor.USER32(0000000F), ref: 00617446
Part of subcall function 006173E8: GetSysColor.USER32(00000011), ref: 00617463
Part of subcall function 006173E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00617471
Part of subcall function 006173E8: SelectObject.GDI32(?,00000000), ref: 00617482
Part of subcall function 006173E8: SetBkColor.GDI32(?,00000000), ref: 0061748B
Part of subcall function 006173E8: SelectObject.GDI32(?,?), ref: 00617498
Part of subcall function 006173E8: InflateRect.USER32(?,000000FF,000000FF), ref: 006174B7
Part of subcall function 006173E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006174CE
Part of subcall function 006173E8: GetWindowLongW.USER32(00000000,000000F0), ref: 006174DB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: d737f517d58eb81281f962ee40b8a8a3d99305de280ea9120f76cdefde3a6d12
Instruction ID: 1ea5c6a4ebaec732dfa9d59c693ec674b5a64c6e4d56855c955d9dd00fcaae5d
Opcode Fuzzy Hash: d737f517d58eb81281f962ee40b8a8a3d99305de280ea9120f76cdefde3a6d12
Instruction Fuzzy Hash: 35A1AD72048301BFDB009F64DC48A9E7BBBFB89331F185A1AF962961A0D771E9858B51

Function 00598D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00598E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 005D6AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 005D6AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 005D6F43

Part of subcall function 00598F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00598BE8,?,00000000,?,?,?,?,00598BBA,00000000,?), ref: 00598FC5

SendMessageW.USER32(?,00001053), ref: 005D6F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 005D6F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 005D6FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 005D6FB7

Strings

0, xrefs: 005D6DCF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 15899c085de09c5e050f54c540286ba9ad6291c93cd00b6ebe5a11dbf735cd0b
Instruction ID: 724279a34e3b9963fad3c510ae8a135427036e5ac549e6d6fc0a1a494a78bc90
Opcode Fuzzy Hash: 15899c085de09c5e050f54c540286ba9ad6291c93cd00b6ebe5a11dbf735cd0b
Instruction Fuzzy Hash: E9129E30600211DFDB25DF18D958BBABFAAFB46311F18846BF4958B261CB31EC52DB91

Function 00602711 Relevance: 47.6, APIs: 22, Strings: 5, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0060273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0060286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006028A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006028B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00602900
GetClientRect.USER32(00000000,?), ref: 0060290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00602955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00602964
GetStockObject.GDI32(00000011), ref: 00602974
SelectObject.GDI32(00000000,00000000), ref: 00602978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00602988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00602991
DeleteDC.GDI32(00000000), ref: 0060299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006029C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 006029DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00602A1D
SendMessageW.USER32(00000000,00000401,00000000,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 00602A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00602A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00602A77
GetStockObject.GDI32(00000011), ref: 00602A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00602A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00602A97

Strings

static, xrefs: 0060294F, 00602A71
msctls_progress32, xrefs: 00602A13
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00602A1F
DISPLAY, xrefs: 0060295A
AutoIt v3, xrefs: 006028F8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{$msctls_progress32$static
API String ID: 2910397461-2119349891
Opcode ID: b728457ef9cae1f251076b8a479330e6c61f6952304bf4ca8cf911fa88260f4d
Instruction ID: 27a286a4a9d208ba85d776b2f4df0fe4552b3443fbf65e1dac61e4e5be42f440
Opcode Fuzzy Hash: b728457ef9cae1f251076b8a479330e6c61f6952304bf4ca8cf911fa88260f4d
Instruction Fuzzy Hash: B1B14B71A40215AFEB14DF68CC5AFAE7BAAFB49721F048115F914EB290D770AD40CBA0

Function 005F4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005F4AED
GetDriveTypeW.KERNEL32(?,0061CB68,?,\\.\,0061CC08), ref: 005F4BCA
SetErrorMode.KERNEL32(00000000,0061CB68,?,\\.\,0061CC08), ref: 005F4D36

Strings

Fibre, xrefs: 005F4CAD
ATA, xrefs: 005F4C98
Virtual, xrefs: 005F4CE5
1394, xrefs: 005F4C9F
SCSI, xrefs: 005F4C8A
RAMDisk, xrefs: 005F4BF4
USB, xrefs: 005F4CB4
SSA, xrefs: 005F4CA6
MMC, xrefs: 005F4CDE
Unknown, xrefs: 005F4BED, 005F4C83
Removable, xrefs: 005F4C10, 005F4C15
RAID, xrefs: 005F4CBB
SAS, xrefs: 005F4CC9
PhysicalDrive, xrefs: 005F4B76
ATAPI, xrefs: 005F4C91
Fixed, xrefs: 005F4C09
iSCSI, xrefs: 005F4CC2
FileBackedVirtual, xrefs: 005F4CEC
SSD, xrefs: 005F4C4A
CDROM, xrefs: 005F4BFB
\\.\, xrefs: 005F4B3F
SATA, xrefs: 005F4CD0
Network, xrefs: 005F4C02

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 5f902f955e1a22cf06eade9d060ea4300f21be388e8a05bd645fdcc5aea3dbc1
Instruction ID: 12fcf78ef2015195c4e039090e4fda64252ce1c34780eb085abfbf0b77c01b8a
Opcode Fuzzy Hash: 5f902f955e1a22cf06eade9d060ea4300f21be388e8a05bd645fdcc5aea3dbc1
Instruction Fuzzy Hash: C561D33064120EDBCB04EF24C9869BE7FB2BF85710B249815F906AB652DB39DD41DF62

Function 006173E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00617421
SetTextColor.GDI32(?,?), ref: 00617425
GetSysColorBrush.USER32(0000000F), ref: 0061743B
GetSysColor.USER32(0000000F), ref: 00617446
CreateSolidBrush.GDI32(?), ref: 0061744B
GetSysColor.USER32(00000011), ref: 00617463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00617471
SelectObject.GDI32(?,00000000), ref: 00617482
SetBkColor.GDI32(?,00000000), ref: 0061748B
SelectObject.GDI32(?,?), ref: 00617498
InflateRect.USER32(?,000000FF,000000FF), ref: 006174B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006174CE
GetWindowLongW.USER32(00000000,000000F0), ref: 006174DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0061752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00617554
InflateRect.USER32(?,000000FD,000000FD), ref: 00617572
DrawFocusRect.USER32(?,?), ref: 0061757D
GetSysColor.USER32(00000011), ref: 0061758E
SetTextColor.GDI32(?,00000000), ref: 00617596
DrawTextW.USER32(?,006170F5,000000FF,?,00000000), ref: 006175A8
SelectObject.GDI32(?,?), ref: 006175BF
DeleteObject.GDI32(?), ref: 006175CA
SelectObject.GDI32(?,?), ref: 006175D0
DeleteObject.GDI32(?), ref: 006175D5
SetTextColor.GDI32(?,?), ref: 006175DB
SetBkColor.GDI32(?,?), ref: 006175E5

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: e4a85bfd442b311d0b8842e55d43388e576ec27ed1dcc6d2b8d510f52226ae74
Instruction ID: bbdb0c92ee9e2314017b9b821ccf5c3491b2a46dc4d6f5fc5531b45da67dabdb
Opcode Fuzzy Hash: e4a85bfd442b311d0b8842e55d43388e576ec27ed1dcc6d2b8d510f52226ae74
Instruction Fuzzy Hash: CA616D72944218BFDF019FA4DC49EEE7FBAEB09330F199116F915AB2A1D7709940CB90

Function 00610FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00611128
GetDesktopWindow.USER32 ref: 0061113D
GetWindowRect.USER32(00000000), ref: 00611144
GetWindowLongW.USER32(?,000000F0), ref: 00611199
DestroyWindow.USER32(?), ref: 006111B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006111ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0061120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0061121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00611232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00611245
IsWindowVisible.USER32(00000000), ref: 006112A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006112BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006112D0
GetWindowRect.USER32(00000000,?), ref: 006112E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0061130E
GetMonitorInfoW.USER32(00000000,?), ref: 00611328
CopyRect.USER32(?,?), ref: 0061133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 006113AA

Strings

tooltips_class32, xrefs: 006111E6
0, xrefs: 006110D3
(, xrefs: 0061131B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: d7b5e242fbf5468125584b06f76193fc5e9e0a5b79c4ec70e3d804dbd0131d3e
Instruction ID: 8b2d4c228e267683421853202cb82d8a1cb97dcd7042745dce7ae2c2256ddcd1
Opcode Fuzzy Hash: d7b5e242fbf5468125584b06f76193fc5e9e0a5b79c4ec70e3d804dbd0131d3e
Instruction Fuzzy Hash: 86B1A171608341AFD700DF64C889BAEBBE5FF89350F04891DFA999B261D731D884CB91

Function 00610241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006102E5
_wcslen.LIBCMT ref: 0061031F
_wcslen.LIBCMT ref: 00610389
_wcslen.LIBCMT ref: 006103F1
_wcslen.LIBCMT ref: 00610475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006104C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00610504

Part of subcall function 0059F9F2: _wcslen.LIBCMT ref: 0059F9FD

Part of subcall function 005E223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005E2258
Part of subcall function 005E223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005E228A

Strings

GETITEMCOUNT, xrefs: 00610316, 00610337
GETSELECTED, xrefs: 006105E1
SELECTCLEAR, xrefs: 0061052D
SELECTALL, xrefs: 00610515
SELECT, xrefs: 00610548
SELECTINVERT, xrefs: 0061057E
FINDITEM, xrefs: 00610627
GETSUBITEMCOUNT, xrefs: 00610384, 0061039F
GETSELECTEDCOUNT, xrefs: 00610470, 0061048B
GETTEXT, xrefs: 006103EC, 00610407
VIEWCHANGE, xrefs: 00610675
DESELECT, xrefs: 0061059C
ISSELECTED, xrefs: 006104DD

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: e89d43011f051d94e76141365d0a0480ea6833583640943a1ab9c639c0b3ba15
Instruction ID: 24e0cff061e312a517099bc9dee2a77db8056b0aa35d518036a3d0caec42d805
Opcode Fuzzy Hash: e89d43011f051d94e76141365d0a0480ea6833583640943a1ab9c639c0b3ba15
Instruction Fuzzy Hash: 42E1A2312082429FDB14EF24C5918AABBE7BFC8714F18495DF896AB391D770ED85CB81

Function 00598891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00598968
GetSystemMetrics.USER32(00000007), ref: 00598970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0059899B
GetSystemMetrics.USER32(00000008), ref: 005989A3
GetSystemMetrics.USER32(00000004), ref: 005989C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005989E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 005989F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00598A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00598A3C
GetClientRect.USER32(00000000,000000FF), ref: 00598A5A
GetStockObject.GDI32(00000011), ref: 00598A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00598A81

Part of subcall function 0059912D: GetCursorPos.USER32(?), ref: 00599141
Part of subcall function 0059912D: ScreenToClient.USER32(00000000,?), ref: 0059915E
Part of subcall function 0059912D: GetAsyncKeyState.USER32(00000001), ref: 00599183
Part of subcall function 0059912D: GetAsyncKeyState.USER32(00000002), ref: 0059919D

SetTimer.USER32(00000000,00000000,00000028,005990FC), ref: 00598AA8

Strings

AutoIt v3 GUI, xrefs: 00598A20

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: ed25374a39fa5697d9768fcf74448805ac3b2dfff4ac121b9d9d408e481e23e9
Instruction ID: 17f59fb1ef7be6cb46d42ce3d69d82b4d5a373580b9c93f075e099bd2d762936
Opcode Fuzzy Hash: ed25374a39fa5697d9768fcf74448805ac3b2dfff4ac121b9d9d408e481e23e9
Instruction Fuzzy Hash: C3B16E71A4020A9FDF14DF68CC45BEE3BB6FB49325F14412AFA15AB290DB74E841CB51

Function 005E0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005E1114
Part of subcall function 005E10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1120
Part of subcall function 005E10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E112F
Part of subcall function 005E10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1136
Part of subcall function 005E10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005E114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005E0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005E0E29
GetLengthSid.ADVAPI32(?), ref: 005E0E40
GetAce.ADVAPI32(?,00000000,?), ref: 005E0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005E0E96
GetLengthSid.ADVAPI32(?), ref: 005E0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 005E0EB5
HeapAlloc.KERNEL32(00000000), ref: 005E0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 005E0EDD
CopySid.ADVAPI32(00000000), ref: 005E0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005E0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005E0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 005E0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0F6E
HeapFree.KERNEL32(00000000), ref: 005E0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0F7E
HeapFree.KERNEL32(00000000), ref: 005E0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E0F8E
HeapFree.KERNEL32(00000000), ref: 005E0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 005E0FA1
HeapFree.KERNEL32(00000000), ref: 005E0FA8

Part of subcall function 005E1193: GetProcessHeap.KERNEL32(00000008,005E0BB1,?,00000000,?,005E0BB1,?), ref: 005E11A1
Part of subcall function 005E1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,005E0BB1,?), ref: 005E11A8
Part of subcall function 005E1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,005E0BB1,?), ref: 005E11B7

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 7f765c48342243fb6a6938db30a0a6b321cd1f8ec22da0ba4586f3aec47c3a34
Instruction ID: 3423612f6a34c26a4e008be23dc2c3fc0281981510971cf38a1458eb52cf53fc
Opcode Fuzzy Hash: 7f765c48342243fb6a6938db30a0a6b321cd1f8ec22da0ba4586f3aec47c3a34
Instruction Fuzzy Hash: 5571CE7290024AABDF24CFA5DC49FEEBBB9BF08311F089115F9A8E6190D7719D54CB60

Function 0060C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0061CC08,00000000,?,00000000,?,?), ref: 0060C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0060C5A4
_wcslen.LIBCMT ref: 0060C5F4
_wcslen.LIBCMT ref: 0060C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0060C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0060C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0060C84D
RegCloseKey.ADVAPI32(?), ref: 0060C881
RegCloseKey.ADVAPI32(00000000), ref: 0060C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0060C960

Strings

REG_MULTI_SZ, xrefs: 0060C6F5
REG_EXPAND_SZ, xrefs: 0060C5CD
REG_SZ, xrefs: 0060C644
REG_DWORD, xrefs: 0060C804
REG_BINARY, xrefs: 0060C913
REG_QWORD, xrefs: 0060C8C3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: caf8e9ec663e9a7dc9c4d92b9b7abe6251d4091f8463078f38eb8dc1d0c88c28
Instruction ID: 04f64a6ae4eeb10b5e7e1e6d5e079012128f77cbf04e90d1c3db245f5b518083
Opcode Fuzzy Hash: caf8e9ec663e9a7dc9c4d92b9b7abe6251d4091f8463078f38eb8dc1d0c88c28
Instruction Fuzzy Hash: C8128E352042019FD714EF14C885A6ABBE6FF88724F14895DF85AAB3A2DB31FC41CB95

Function 0061091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006109C6
_wcslen.LIBCMT ref: 00610A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00610A54
_wcslen.LIBCMT ref: 00610A8A
_wcslen.LIBCMT ref: 00610B06
_wcslen.LIBCMT ref: 00610B81

Part of subcall function 0059F9F2: _wcslen.LIBCMT ref: 0059F9FD

Part of subcall function 005E2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005E2BFA

Strings

GETTOTALCOUNT, xrefs: 006109F2, 00610A17
GETSELECTED, xrefs: 00610C4E
GETITEMCOUNT, xrefs: 00610C1E
EXISTS, xrefs: 00610B7C, 00610B97
COLLAPSE, xrefs: 00610B01, 00610B1C
ISCHECKED, xrefs: 00610CE1
CHECK, xrefs: 00610A85, 00610AA0
GETTEXT, xrefs: 00610C97
EXPAND, xrefs: 00610BF8
SELECT, xrefs: 00610D11
UNCHECK, xrefs: 00610D3E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: f314f4f886dd0f1b9840dbcd365615ebafd3e11f42735eb73347415663a726e9
Instruction ID: 12727c13592bfa47bb62d1c690b276180db379e2d978f1c58d1c868f22e5bd9a
Opcode Fuzzy Hash: f314f4f886dd0f1b9840dbcd365615ebafd3e11f42735eb73347415663a726e9
Instruction Fuzzy Hash: D7E1B2352083429FDB14EF24C4509AABBE2BFD8314F18895CF895AB362D771ED85CB91

Function 0060C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
_wcslen.LIBCMT ref: 0060C9F1
_wcslen.LIBCMT ref: 0060CA68
_wcslen.LIBCMT ref: 0060CA9E
_wcslen.LIBCMT ref: 0060CAF9
_wcslen.LIBCMT ref: 0060CB2F
_wcslen.LIBCMT ref: 0060CB7F

Strings

HKCR, xrefs: 0060CB29, 0060CB2E
HKCC, xrefs: 0060CBAC
HKU, xrefs: 0060CBF0
HKEY_CURRENT_USER, xrefs: 0060CBBD
HKEY_USERS, xrefs: 0060CBDF
HKEY_LOCAL_MACHINE, xrefs: 0060CA62, 0060CA67
HKCU, xrefs: 0060CBCE
HKLM, xrefs: 0060CA98, 0060CA9D
HKEY_CLASSES_ROOT, xrefs: 0060CAF3, 0060CAF8
HKEY_CURRENT_CONFIG, xrefs: 0060CB79, 0060CB7E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 442389cc6f8b69e296d57421429866377fc19ebce409a31ddfd6ecaa5c3ea819
Instruction ID: 94a2e4b67b7a941f44ea96368e79b8cf0b5e1769c172f73c3da3418ebc3483df
Opcode Fuzzy Hash: 442389cc6f8b69e296d57421429866377fc19ebce409a31ddfd6ecaa5c3ea819
Instruction Fuzzy Hash: 8D71DF3268016A8BCB28DF6CC9515FF3797ABA1770B250628FC56A73C4E731CD4587A0

Function 0061833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0061835A
_wcslen.LIBCMT ref: 0061836E
_wcslen.LIBCMT ref: 00618391
_wcslen.LIBCMT ref: 006183B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006183F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00615BF2), ref: 0061844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00618487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006184CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00618501
FreeLibrary.KERNEL32(?), ref: 0061850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0061851D
DestroyIcon.USER32(?,?,?,?,?,00615BF2), ref: 0061852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00618549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00618555

Strings

.exe, xrefs: 00618388
.icl, xrefs: 00618368
.dll, xrefs: 006183AB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: abeac818287eb15d86be1af1d28f3dfe023766824dd56a18378eaaa756191081
Instruction ID: 56d8671b12fba32884fa710e7ec0e97809b9116c7ce0785a28adf768f237d7e1
Opcode Fuzzy Hash: abeac818287eb15d86be1af1d28f3dfe023766824dd56a18378eaaa756191081
Instruction Fuzzy Hash: 3461BE71540206BEEB149F64CC45BFE7BAABB44721F14460AF815D71D1DFB4A990CBA0

Function 00587778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 005C519A
Unterminated group of comments, xrefs: 005C528C
#pragma compile, xrefs: 005877D3
#include-once, xrefs: 0058782F
#requireadmin, xrefs: 005877FF
#notrayicon, xrefs: 005877E7
#comments-end, xrefs: 005878D9
Cannot parse #include, xrefs: 005C5279
#cs, xrefs: 00587873, 005878C5
", xrefs: 005C5153
#comments-start, xrefs: 0058785F, 005878B1
#include, xrefs: 00587847
#OnAutoItStartRegister, xrefs: 00587817
', xrefs: 005C5169
#ce, xrefs: 005878ED

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: b9acf2e478bb9010185f363e4332ba2d7f11ef7d4b11fa31905a29f084db9464
Instruction ID: 745c5d408bbec57dc7374b1475adc7f02e259b2bbe71664e111162c4246a933e
Opcode Fuzzy Hash: b9acf2e478bb9010185f363e4332ba2d7f11ef7d4b11fa31905a29f084db9464
Instruction Fuzzy Hash: 5D81B37164460AABDB10BFA0CC4AFBE7FA9FF99300F184424FD05AA196EB70D951C791

Function 005F3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 005F3EF8
_wcslen.LIBCMT ref: 005F3F03
_wcslen.LIBCMT ref: 005F3F5A
_wcslen.LIBCMT ref: 005F3F98
GetDriveTypeW.KERNEL32(?), ref: 005F3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005F401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005F4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005F4087

Strings

open , xrefs: 005F3FE5
wait, xrefs: 005F4044
closed, xrefs: 005F3F08, 005F3F2D, 005F3F46, 005F3F7E, 005F3F97
open, xrefs: 005F3F54, 005F3F59
type cdaudio alias cd wait, xrefs: 005F4001
close cd wait, xrefs: 005F4072
set cd door , xrefs: 005F4028
close, xrefs: 005F3EFE, 005F3F18

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 4b3f379d6bf97fdaad9c08bc9aedfc766261aa7e43e8d47c25668d465df3b075
Instruction ID: eb2b4a2faededae98c6171656f0c98ac82f13926ca70a3d601a0a93c21ecfbba
Opcode Fuzzy Hash: 4b3f379d6bf97fdaad9c08bc9aedfc766261aa7e43e8d47c25668d465df3b075
Instruction Fuzzy Hash: 0D71BD316042069FC310EF24C88587BBBE5FF95758F10492DFA95A7261EB38DE45CB52

Function 005E5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 005E5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005E5A40
SetWindowTextW.USER32(?,?), ref: 005E5A57
GetDlgItem.USER32(?,000003EA), ref: 005E5A6C
SetWindowTextW.USER32(00000000,?), ref: 005E5A72
GetDlgItem.USER32(?,000003E9), ref: 005E5A82
SetWindowTextW.USER32(00000000,?), ref: 005E5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005E5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005E5AC3
GetWindowRect.USER32(?,?), ref: 005E5ACC
_wcslen.LIBCMT ref: 005E5B33
SetWindowTextW.USER32(?,?), ref: 005E5B6F
GetDesktopWindow.USER32 ref: 005E5B75
GetWindowRect.USER32(00000000), ref: 005E5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 005E5BD3
GetClientRect.USER32(?,?), ref: 005E5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 005E5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005E5C2F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 7d0b936ce7737aa9cbf755514618c0ea8b00eb04e1e6023cbacc7005a9e85a81
Instruction ID: 975415ed85a7f0f4a585c9a4306ef835ec7a17924046e69e384840bab7e8e93e
Opcode Fuzzy Hash: 7d0b936ce7737aa9cbf755514618c0ea8b00eb04e1e6023cbacc7005a9e85a81
Instruction Fuzzy Hash: 07719031900B45AFDB24DFA9CE85BAEBBF5FF48718F144919E182A35A0E770E944CB50

Function 005FFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 005FFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 005FFE32
LoadCursorW.USER32(00000000,00007F00), ref: 005FFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 005FFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 005FFE53
LoadCursorW.USER32(00000000,00007F01), ref: 005FFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 005FFE69
LoadCursorW.USER32(00000000,00007F88), ref: 005FFE74
LoadCursorW.USER32(00000000,00007F80), ref: 005FFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 005FFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 005FFE95
LoadCursorW.USER32(00000000,00007F85), ref: 005FFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 005FFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 005FFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 005FFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 005FFECC
GetCursorInfo.USER32(?), ref: 005FFEDC
GetLastError.KERNEL32 ref: 005FFF1E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d25ccdfca27d29b5b0638a0fb507b719dcd66ab3b13c0fb1c9eb20891d652fe2
Instruction ID: 2d9bc228edbb8af59d5bd66b6877ba85b34b8ecfdb4749a632b0af0aa8cd087e
Opcode Fuzzy Hash: d25ccdfca27d29b5b0638a0fb507b719dcd66ab3b13c0fb1c9eb20891d652fe2
Instruction Fuzzy Hash: 6A4165B0D443196ADB10DFBA8C8986EBFE8FF04354B54852AF11DE7681DB789901CF91

Function 005E30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005E318D
_wcslen.LIBCMT ref: 005E31F8

Strings

NAME, xrefs: 005E3335, 005E3346
REGEXPCLASS, xrefs: 005E3255, 005E3266
TEXT, xrefs: 005E347C
CLASSNN, xrefs: 005E31F3, 005E3204
INSTANCE, xrefs: 005E3453
[d, xrefs: 005E339A
CLASS, xrefs: 005E3188, 005E31A5

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[d
API String ID: 176396367-2866934335
Opcode ID: 3d1233da7bd338e43b1850be884456f3044aa364e56886a06582d9ac9f410dca
Instruction ID: f61d88502dec8cf6d2d34600b81b564f7c66a0a6c8b760da79b6e55283b19609
Opcode Fuzzy Hash: 3d1233da7bd338e43b1850be884456f3044aa364e56886a06582d9ac9f410dca
Instruction Fuzzy Hash: 39E10432A00556ABCF1C9FA9C459AEEBFB1BF44710F54852AE496F7240DB30AE45CB90

Function 005A00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 005A00C6

Part of subcall function 005A00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0065070C,00000FA0,4EA8B1DE,?,?,?,?,005C23B3,000000FF), ref: 005A011C
Part of subcall function 005A00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,005C23B3,000000FF), ref: 005A0127
Part of subcall function 005A00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,005C23B3,000000FF), ref: 005A0138
Part of subcall function 005A00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 005A014E
Part of subcall function 005A00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 005A015C
Part of subcall function 005A00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 005A016A
Part of subcall function 005A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005A0195
Part of subcall function 005A00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 005A01A0

___scrt_fastfail.LIBCMT ref: 005A00E7

Part of subcall function 005A00A3: __onexit.LIBCMT ref: 005A00A9

Strings

kernel32.dll, xrefs: 005A0133
SleepConditionVariableCS, xrefs: 005A0154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 005A0122
InitializeConditionVariable, xrefs: 005A0148
WakeAllConditionVariable, xrefs: 005A0162

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 3544287862e2616f777b9915917791325f938356e89fc16260cae0db49d73841
Instruction ID: 87dc775415d7f963ee5ab9531e2baf363aeeefc8f8b8abfe7cf4b469b90c8f8a
Opcode Fuzzy Hash: 3544287862e2616f777b9915917791325f938356e89fc16260cae0db49d73841
Instruction Fuzzy Hash: C521C932A957116BE7105B64BC0ABED3BA6FF46F61F05552AF801D62D1DB7498008A90

Function 005F44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0061CC08), ref: 005F4527
_wcslen.LIBCMT ref: 005F453B
_wcslen.LIBCMT ref: 005F4599
_wcslen.LIBCMT ref: 005F45F4
_wcslen.LIBCMT ref: 005F463F
_wcslen.LIBCMT ref: 005F46A7

Part of subcall function 0059F9F2: _wcslen.LIBCMT ref: 0059F9FD

GetDriveTypeW.KERNEL32(?,00646BF0,00000061), ref: 005F4743

Strings

all, xrefs: 005F4531, 005F4536
network, xrefs: 005F469D, 005F46A2
removable, xrefs: 005F45EA, 005F45EF
cdrom, xrefs: 005F458F, 005F4594
ramdisk, xrefs: 005F46F1
unknown, xrefs: 005F4708
fixed, xrefs: 005F4635, 005F463A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ce705a96268b02222835010f72081fe7ae637a2e3c9a82c3d761b389d7aa987b
Instruction ID: 53cdba845f81a5bb86d6d3f4208f855710331347071ecf47649ba48730516c8f
Opcode Fuzzy Hash: ce705a96268b02222835010f72081fe7ae637a2e3c9a82c3d761b389d7aa987b
Instruction Fuzzy Hash: 1FB1EC316083069BC710EF28C890A7BBBE5BFE6720F10491DF696D7291E738D845CB92

Function 0061911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

DragQueryPoint.SHELL32(?,?), ref: 00619147

Part of subcall function 00617674: ClientToScreen.USER32(?,?), ref: 0061769A
Part of subcall function 00617674: GetWindowRect.USER32(?,?), ref: 00617710
Part of subcall function 00617674: PtInRect.USER32(?,?,00618B89), ref: 00617720

SendMessageW.USER32(?,000000B0,?,?), ref: 006191B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006191BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006191DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00619225
SendMessageW.USER32(?,000000B0,?,?), ref: 0061923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00619255
SendMessageW.USER32(?,000000B1,?,?), ref: 00619277
DragFinish.SHELL32(?), ref: 0061927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00619371

Strings

@GUI_DRAGID, xrefs: 006192E9
@GUI_DRAGFILE, xrefs: 00619320
@GUI_DROPID, xrefs: 0061929E
p#e, xrefs: 006192BB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#e
API String ID: 221274066-1301395850
Opcode ID: e07c71e3af4fc548bf2bd607089077b63f2ab72d8729f535dd14cb8f47cc8f12
Instruction ID: eb762a317b7d6a6ab3d0c30dd6c06116a733e7f5931675ed3adbc6174beaf7e6
Opcode Fuzzy Hash: e07c71e3af4fc548bf2bd607089077b63f2ab72d8729f535dd14cb8f47cc8f12
Instruction Fuzzy Hash: 22613A71108301AFD701EF54D899DAFBBEAFBC5750F04492EF595921A0DB309A49CB62

Function 0058326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00651990), ref: 005C2F8D
GetMenuItemCount.USER32(00651990), ref: 005C303D
GetCursorPos.USER32(?), ref: 005C3081
SetForegroundWindow.USER32(00000000), ref: 005C308A
TrackPopupMenuEx.USER32(00651990,00000000,?,00000000,00000000,00000000), ref: 005C309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005C30A9

Strings

0, xrefs: 0058327D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: e2fe3834075b761345c65201fabe9b4b893c203455eb5766ae2cace68abea171
Instruction ID: 900a1861b44a8d9b57814c0457c394bddeaa5a123a90094acea51a27c873c521
Opcode Fuzzy Hash: e2fe3834075b761345c65201fabe9b4b893c203455eb5766ae2cace68abea171
Instruction Fuzzy Hash: B771197164420ABEFB259F69CC49FAABF65FF01724F24421AF9157A1E0C7B1AD10C790

Function 00616CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00616DEB

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00616E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00616E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00616E94
DestroyWindow.USER32(?), ref: 00616EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00580000,00000000), ref: 00616EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00616EFD
GetDesktopWindow.USER32 ref: 00616F16
GetWindowRect.USER32(00000000), ref: 00616F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00616F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00616F4D

Part of subcall function 00599944: GetWindowLongW.USER32(?,000000EB), ref: 00599952

Strings

tooltips_class32, xrefs: 00616E58, 00616EDD
0, xrefs: 00616D98

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: e34c11ed6fbafb5f219cb1bd37954f187e8350455f64531893f120be5a481bb7
Instruction ID: 0188eac3c12a7bbcf0a233e65a0f1ef042826dfdbf350a26792ad1cbcbded7ba
Opcode Fuzzy Hash: e34c11ed6fbafb5f219cb1bd37954f187e8350455f64531893f120be5a481bb7
Instruction Fuzzy Hash: 81716778244340AFDB21CF18DC48BEABBFAFB89314F08451EF99997261C770A946CB11

Function 005FC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005FC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005FC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005FC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005FC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 005FC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005FC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005FC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005FC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 005FC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 005FC5F0
InternetCloseHandle.WININET(00000000), ref: 005FC5FB

Strings

, xrefs: 005FC575

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 9ef2ddeffddbfdf861fcf6fe21f7e40e604b5faa25325cecd78666196ba4d8a7
Instruction ID: 6a36f685710f0d5df24ba2fd0d49b5b211d0273f703c4f63aa26717583a9b70c
Opcode Fuzzy Hash: 9ef2ddeffddbfdf861fcf6fe21f7e40e604b5faa25325cecd78666196ba4d8a7
Instruction Fuzzy Hash: 92514DB154020DBFDB218F64CA48ABB7FBDFF48754F04842AFA4596250DB78E944DB60

Function 0061856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00618592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185BA
GlobalLock.KERNEL32(00000000), ref: 006185C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185D7
GlobalUnlock.KERNEL32(00000000), ref: 006185E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 006185F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0061FC38,?), ref: 00618611
GlobalFree.KERNEL32(00000000), ref: 00618621
GetObjectW.GDI32(?,00000018,?), ref: 00618641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00618671
DeleteObject.GDI32(?), ref: 00618699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006186AF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 83fd49908f7039d35fb64eb28e8e3fbb6c00d8c5032ae86e7c89fea07bf725e0
Instruction ID: f00efe1d4c7923858e47698833b94bd2f8759ad7d48bd8a0c4e0a561b94d8311
Opcode Fuzzy Hash: 83fd49908f7039d35fb64eb28e8e3fbb6c00d8c5032ae86e7c89fea07bf725e0
Instruction Fuzzy Hash: DE410975640204AFDB119FA5DC48EEE7BBAEF89721F188059F905E7260DB309A41DB60

Function 005F14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 005F1502
VariantCopy.OLEAUT32(?,?), ref: 005F150B
VariantClear.OLEAUT32(?), ref: 005F1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 005F15FB
VarR8FromDec.OLEAUT32(?,?), ref: 005F1657
VariantInit.OLEAUT32(?), ref: 005F1708
SysFreeString.OLEAUT32(?), ref: 005F178C
VariantClear.OLEAUT32(?), ref: 005F17D8
VariantClear.OLEAUT32(?), ref: 005F17E7
VariantInit.OLEAUT32(00000000), ref: 005F1823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 005F1625
Default, xrefs: 005F16AF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 2d589e878b0f4d8d272cb24c57cb76a55c2a53001d363453aac46972a8ff63d2
Instruction ID: af1a729214d94d5fa148bb91be0a725a2708ca83b718ac30e9d29c6f1c4ed1a1
Opcode Fuzzy Hash: 2d589e878b0f4d8d272cb24c57cb76a55c2a53001d363453aac46972a8ff63d2
Instruction Fuzzy Hash: 5CD1F471A00A19DBDF04AF65E489B7DBFB6BF85700F148456EA06AB180DB38DC40DFA5

Function 0060B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 0060C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060C9F1
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA68
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0060B80A
RegCloseKey.ADVAPI32(?), ref: 0060B87E
RegCloseKey.ADVAPI32(?), ref: 0060B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0060B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0060B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0060B922
FreeLibrary.KERNEL32(00000000), ref: 0060B983
RegCloseKey.ADVAPI32(00000000), ref: 0060B994

Strings

RegDeleteKeyExW, xrefs: 0060B8FE
advapi32.dll, xrefs: 0060B8ED

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: a0553722eca7c275cabb294a24a555e7915137ca674ee637081211dde76bf515
Instruction ID: 3f5f2a621761272dee01d1b85ce2d116244f306d959a6a9e218bceb4f06d39eb
Opcode Fuzzy Hash: a0553722eca7c275cabb294a24a555e7915137ca674ee637081211dde76bf515
Instruction Fuzzy Hash: 4AC19D30248202AFD714DF14C495F6ABBE6BF84318F18D55CE55A5B3A2CB71EC45CB91

Function 0060255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006025D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006025E8
CreateCompatibleDC.GDI32(?), ref: 006025F4
SelectObject.GDI32(00000000,?), ref: 00602601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0060266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006026AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006026D0
SelectObject.GDI32(?,?), ref: 006026D8
DeleteObject.GDI32(?), ref: 006026E1
DeleteDC.GDI32(?), ref: 006026E8
ReleaseDC.USER32(00000000,?), ref: 006026F3

Strings

(, xrefs: 0060268D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 51debd37b9f047896fd5d822b0bc95901bba3b6bc7b93cce6729851dfb4c13b3
Instruction ID: e14dda0501d117470861a20ffedfb7e4da6c8b3c9e31932dd554ed97235dcc47
Opcode Fuzzy Hash: 51debd37b9f047896fd5d822b0bc95901bba3b6bc7b93cce6729851dfb4c13b3
Instruction Fuzzy Hash: 13611375D4021AEFCF04CFA4C888AAEBBB6FF48310F24842AE955A7250D371A941CF94

Function 005BDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 005BDAA1

Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD659
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD66B
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD67D
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD68F
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6A1
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6B3
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6C5
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6D7
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6E9
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD6FB
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD70D
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD71F
Part of subcall function 005BD63C: _free.LIBCMT ref: 005BD731

_free.LIBCMT ref: 005BDA96

Part of subcall function 005B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005BDAB8
_free.LIBCMT ref: 005BDACD
_free.LIBCMT ref: 005BDAD8
_free.LIBCMT ref: 005BDAFA
_free.LIBCMT ref: 005BDB0D
_free.LIBCMT ref: 005BDB1B
_free.LIBCMT ref: 005BDB26
_free.LIBCMT ref: 005BDB5E
_free.LIBCMT ref: 005BDB65
_free.LIBCMT ref: 005BDB82
_free.LIBCMT ref: 005BDB9A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: bff1e64ba62f66ca6d2412e7f46bab5328bbd7424684b147279ae2e10b0c4c4c
Instruction ID: 94c5c71f87c16e6973d2e5d253f1888fbe1e99d54f9942515d41c146baa21af9
Opcode Fuzzy Hash: bff1e64ba62f66ca6d2412e7f46bab5328bbd7424684b147279ae2e10b0c4c4c
Instruction Fuzzy Hash: BD310B31604606AFEB21AB39E849BD6BFF9FF50321F154819E45DD7191EA35BC808B34

Function 005E365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005E369C
_wcslen.LIBCMT ref: 005E36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005E3797
GetClassNameW.USER32(?,?,00000400), ref: 005E380C
GetDlgCtrlID.USER32(?), ref: 005E385D
GetWindowRect.USER32(?,?), ref: 005E3882
GetParent.USER32(?), ref: 005E38A0
ScreenToClient.USER32(00000000), ref: 005E38A7
GetClassNameW.USER32(?,?,00000100), ref: 005E3921
GetWindowTextW.USER32(?,?,00000400), ref: 005E395D

Strings

%s%u, xrefs: 005E3734

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: e1b1e994dcff65b9195ee0686d2c01e174d8602aae4252fcd6fcf437a08cc023
Instruction ID: 9e95489210f3405880f24a40c31386584e3daa78b3b71b502a88c34f54ea252e
Opcode Fuzzy Hash: e1b1e994dcff65b9195ee0686d2c01e174d8602aae4252fcd6fcf437a08cc023
Instruction Fuzzy Hash: 0491AF71204646AFD718DF26C889FEABBA9FF84350F008529F9D9D3191DB30EA45CB91

Function 005E4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 005E4994
GetWindowTextW.USER32(?,?,00000400), ref: 005E49DA
_wcslen.LIBCMT ref: 005E49EB
CharUpperBuffW.USER32(?,00000000), ref: 005E49F7
_wcsstr.LIBVCRUNTIME ref: 005E4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 005E4A64
GetWindowTextW.USER32(?,?,00000400), ref: 005E4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 005E4AE6
GetClassNameW.USER32(?,?,00000400), ref: 005E4B20
GetWindowRect.USER32(?,?), ref: 005E4B8B

Strings

ThumbnailClass, xrefs: 005E4A6F, 005E4AF1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: a5bf1fea463bc0b089830f3824352812fe244565a1dc5581e5a0b981cb2b3b30
Instruction ID: fbffe54d966f935fcc76907868a317c4ea0179cee9c181a2505851384ab4f7cc
Opcode Fuzzy Hash: a5bf1fea463bc0b089830f3824352812fe244565a1dc5581e5a0b981cb2b3b30
Instruction Fuzzy Hash: 77919C710042469BDB08DF16C985FAA7BA9FF84314F04846AFDC59A096EB34ED45CFA1

Function 00618D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00618D5A
GetFocus.USER32 ref: 00618D6A
GetDlgCtrlID.USER32(00000000), ref: 00618D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00618E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00618ECF
GetMenuItemCount.USER32(?), ref: 00618EEC
GetMenuItemID.USER32(?,00000000), ref: 00618EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00618F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00618F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00618FA1

Strings

0, xrefs: 00618E9F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: f5ff4a4d4315ff1c0efb244d0e777a070ce7fd407a949700a013f50dee942b71
Instruction ID: 69b339ca4fb7be8f77eea87f6a7be7bd6b0d7c50b3c1cc10456adc054097422c
Opcode Fuzzy Hash: f5ff4a4d4315ff1c0efb244d0e777a070ce7fd407a949700a013f50dee942b71
Instruction Fuzzy Hash: 4D817C715083019FDB10CF24D884AEBBBEBFB89364F18491EF99597291DB70D981CBA1

Function 005EDC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 005EDC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005EDC46
_wcslen.LIBCMT ref: 005EDC50
_wcsstr.LIBVCRUNTIME ref: 005EDCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005EDCBC

Strings

\VarFileInfo\Translation, xrefs: 005EDCB4
StringFileInfo\, xrefs: 005EDC8F
DefaultLangCodepage, xrefs: 005EDD1F
04090000, xrefs: 005EDCF2
%u.%u.%u.%u, xrefs: 005EDD9A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: a6fef1da0f8b1a657e8319d0421d49639b097bbdb62a112fa0f759a87ba9743d
Instruction ID: 73c7825ec669c0464bcb00da59f06a1a6ee36f8a4180d3dc2830978f2075cba0
Opcode Fuzzy Hash: a6fef1da0f8b1a657e8319d0421d49639b097bbdb62a112fa0f759a87ba9743d
Instruction Fuzzy Hash: 9C41F072A402167ADB04A765DC0BEFF7FBCFF82760F140069F900E6182EA70990197B5

Function 0060CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0060CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0060CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0060CD48

Part of subcall function 0060CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0060CCAA
Part of subcall function 0060CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0060CCBD
Part of subcall function 0060CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0060CCCF
Part of subcall function 0060CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0060CD05
Part of subcall function 0060CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0060CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0060CCF3

Strings

RegDeleteKeyExW, xrefs: 0060CCC9
advapi32.dll, xrefs: 0060CCB8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 6baf5dbbcbc6db55785ffb4ed1d4de6ad7a1bd976d14d7210b7f9af151b1e867
Instruction ID: 59b90d05adfef9d636b28194f85803b1cbc3ab60000a4dead34c3a2788f7ec99
Opcode Fuzzy Hash: 6baf5dbbcbc6db55785ffb4ed1d4de6ad7a1bd976d14d7210b7f9af151b1e867
Instruction Fuzzy Hash: 45319271981128BBD7248B54DC88EFFBB7EEF45760F044266F905E2290D7309E45DAA0

Function 005F3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005F3D40
_wcslen.LIBCMT ref: 005F3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 005F3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005F3DBE
RemoveDirectoryW.KERNEL32(?), ref: 005F3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005F3E55
CloseHandle.KERNEL32(00000000), ref: 005F3E60
CloseHandle.KERNEL32(00000000), ref: 005F3E6B

Strings

\, xrefs: 005F3D77
:, xrefs: 005F3D82
\??\%s, xrefs: 005F3D5B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 461e76bccdd1272ad270152ac87256cc56ace7880d03810558ee38afdb040fcb
Instruction ID: 6c76612325ff0acb26396d2fd97149f8abb0c3ddf905b939724423d5a663b437
Opcode Fuzzy Hash: 461e76bccdd1272ad270152ac87256cc56ace7880d03810558ee38afdb040fcb
Instruction Fuzzy Hash: 0231A1B194021AABEB209BA0DC49FEF3BBDFF89750F1440B6F605D6060EB7497448B24

Function 005EE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005EE6B4

Part of subcall function 0059E551: timeGetTime.WINMM(?,?,005EE6D4), ref: 0059E555

Sleep.KERNEL32(0000000A), ref: 005EE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 005EE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005EE727
SetActiveWindow.USER32 ref: 005EE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005EE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 005EE773
Sleep.KERNEL32(000000FA), ref: 005EE77E
IsWindow.USER32 ref: 005EE78A
EndDialog.USER32(00000000), ref: 005EE79B

Strings

BUTTON, xrefs: 005EE719

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 74ce3ce517e3f99612b532dbb677d23071e05a5d1507ccec14da18dba0fd1bdc
Instruction ID: 6afceee5f3fb05b2994a8726c0674d391e36c5cdaa142227ac7705ce003cee8a
Opcode Fuzzy Hash: 74ce3ce517e3f99612b532dbb677d23071e05a5d1507ccec14da18dba0fd1bdc
Instruction Fuzzy Hash: 6621D5B0250382AFEB049F21EC9FB693F6BF75635AF04B426F445821B1DB71AC408B64

Function 005EE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005EEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005EEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005EEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005EEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005EEAA7

Strings

play PlayMe wait, xrefs: 005EEA91
open , xrefs: 005EEA0C
play PlayMe, xrefs: 005EEAA2
alias PlayMe, xrefs: 005EEA36
close PlayMe, xrefs: 005EEA6E, 005EEA9B
status PlayMe mode, xrefs: 005EEA58

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 4c111b8127e241d3a18dfe718e6d0763eb4f60ee02bba872c90235eea83d78b4
Instruction ID: 40a9b1bab766f441551fabcf8c9d2a34ae4cc8d13cdf637f2134b9dba8a2ae8c
Opcode Fuzzy Hash: 4c111b8127e241d3a18dfe718e6d0763eb4f60ee02bba872c90235eea83d78b4
Instruction Fuzzy Hash: 2E115431A5025A79E724B762DC4FDFF6E7DFBD2B40F050429B811A20D1EEB00905C6B1

Function 005E5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 005E5CE2
GetWindowRect.USER32(00000000,?), ref: 005E5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 005E5D59
GetDlgItem.USER32(?,00000002), ref: 005E5D69
GetWindowRect.USER32(00000000,?), ref: 005E5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 005E5DCF
GetDlgItem.USER32(?,000003E9), ref: 005E5DDD
GetWindowRect.USER32(00000000,?), ref: 005E5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 005E5E31
GetDlgItem.USER32(?,000003EA), ref: 005E5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005E5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 005E5E67

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: fbfff4ad80743a086a240883d5a316c9c47c36a45440e702866b549d8d0dd903
Instruction ID: e7737337234a1f0b590b73e5785b7c29b54218049b13a6b0b491787a00951771
Opcode Fuzzy Hash: fbfff4ad80743a086a240883d5a316c9c47c36a45440e702866b549d8d0dd903
Instruction Fuzzy Hash: 85513FB0B40615AFDF18CF69CD99AAEBBBAFB48314F148129F515E7290E7709E04CB50

Function 00598BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00598F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00598BE8,?,00000000,?,?,?,?,00598BBA,00000000,?), ref: 00598FC5

DestroyWindow.USER32(?), ref: 00598C81
KillTimer.USER32(00000000,?,?,?,?,00598BBA,00000000,?), ref: 00598D1B
DestroyAcceleratorTable.USER32(00000000), ref: 005D6973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00598BBA,00000000,?), ref: 005D69A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00598BBA,00000000,?), ref: 005D69B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00598BBA,00000000), ref: 005D69D4
DeleteObject.GDI32(00000000), ref: 005D69E6

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 63616ebc858d838f4ef443eeaab6b5183d4babf8dd4d4c3dcfe710ba3c69510d
Instruction ID: fa5d23ae31f7562a32989d5deebf68fd517798924ed21c70d57cc56b6183dd4f
Opcode Fuzzy Hash: 63616ebc858d838f4ef443eeaab6b5183d4babf8dd4d4c3dcfe710ba3c69510d
Instruction Fuzzy Hash: 45615A31502701DFCF35DF18D958B797BB2FB46322F14A91AE0829B6A0CB71AD91DB90

Function 00599838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00599944: GetWindowLongW.USER32(?,000000EB), ref: 00599952

GetSysColor.USER32(0000000F), ref: 00599862

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6acf32cccc8131a13f4fdde31e63c6c7c007ed3a87ab986ce399438e0f898468
Instruction ID: 79013d30fe3bc1914f4eb2351613b97cf3d9b0d260e3ced57f3cef653fa75d19
Opcode Fuzzy Hash: 6acf32cccc8131a13f4fdde31e63c6c7c007ed3a87ab986ce399438e0f898468
Instruction Fuzzy Hash: ED418F31144644AFDF209F3C9C89BB93F66BB0A331F18561EF9A2872E1E7319842DB51

Function 005B8D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.Z, xrefs: 005B903A, 005B8FD0, 005B8FF2

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: .Z
API String ID: 0-572057124
Opcode ID: 563aae4ea11c6102a382f543d3955855adf1387b6361f722d53edd3c6b1c1368
Instruction ID: de00e7d3899d5a84c7bed28b138f2590e890e8e83ff3a272657a248aae74272d
Opcode Fuzzy Hash: 563aae4ea11c6102a382f543d3955855adf1387b6361f722d53edd3c6b1c1368
Instruction Fuzzy Hash: 17C1E27490424AAFDB11EFA8D849BFDBFB5BF4A310F184199F914A7392C730A941CB61

Function 005E96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,005CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 005E9717
LoadStringW.USER32(00000000,?,005CF7F8,00000001), ref: 005E9720

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,005CF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 005E9742
LoadStringW.USER32(00000000,?,005CF7F8,00000001), ref: 005E9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 005E9866

Strings

Line %d:, xrefs: 005E97A0
Line %d (File "%s"):, xrefs: 005E978F
^ ERROR, xrefs: 005E97FB
Error: , xrefs: 005E981D
%s (%d) : ==> %s: %s %s, xrefs: 005E984A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: bf35ebf32ffd1ab7c2c0f6b89eeabc10b539cfbb9234d8ab264f4c892c2a2ed0
Instruction ID: a046bb46ec51227ac8e1b1e82af7bf5de1a104d1627316ee1ae7addc1204b4f0
Opcode Fuzzy Hash: bf35ebf32ffd1ab7c2c0f6b89eeabc10b539cfbb9234d8ab264f4c892c2a2ed0
Instruction Fuzzy Hash: 02413D7280420AAADF04FBE0CD4ADEE7B79BF95740F144425FA0572092EE256F49CB61

Function 005E06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005E07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005E07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005E07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005E0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 005E082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005E0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005E083C

Strings

SOFTWARE\Classes\, xrefs: 005E070E
\IPC$, xrefs: 005E0784
\CLSID, xrefs: 005E0724

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 22ad5f716b510f7ac4e9b817bd48bd1d51a84485c1ea72772f664253ef8f8d5c
Instruction ID: 6ee5a3853c6566bc8b6dcd001b80df7eecbc085249c70f3a6c9a64a59d587ac6
Opcode Fuzzy Hash: 22ad5f716b510f7ac4e9b817bd48bd1d51a84485c1ea72772f664253ef8f8d5c
Instruction Fuzzy Hash: 59411972C1022AABDF15EBA4DC998EDBB79FF44750F14412AE901B31A1EB709E44CB90

Function 00603C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00603C5C
CoInitialize.OLE32(00000000), ref: 00603C8A
CoUninitialize.OLE32 ref: 00603C94
_wcslen.LIBCMT ref: 00603D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00603DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00603ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00603F0E
CoGetObject.OLE32(?,00000000,0061FB98,?), ref: 00603F2D
SetErrorMode.KERNEL32(00000000), ref: 00603F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00603FC4
VariantClear.OLEAUT32(?), ref: 00603FD8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 2225d7a92c731506211b85f94d13251a24128365fb1df4d60ffb370cc1fb1cd1
Instruction ID: cc9e5f5dc3099e09af83b9758a82001ec5ab58f1b10ef1a7f5b9e8f200ff115e
Opcode Fuzzy Hash: 2225d7a92c731506211b85f94d13251a24128365fb1df4d60ffb370cc1fb1cd1
Instruction Fuzzy Hash: D7C133716482129FD704DF28C88496BBBEAFF89745F04491DF98A9B390DB30ED06CB52

Function 005F7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005F7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005F7B8F
SHGetDesktopFolder.SHELL32(?), ref: 005F7BA3
CoCreateInstance.OLE32(0061FD08,00000000,00000001,00646E6C,?), ref: 005F7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005F7C74
CoTaskMemFree.OLE32(?,?), ref: 005F7CCC
SHBrowseForFolderW.SHELL32(?), ref: 005F7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005F7D7A
CoTaskMemFree.OLE32(00000000), ref: 005F7D81
CoTaskMemFree.OLE32(00000000), ref: 005F7DD6
CoUninitialize.OLE32 ref: 005F7DDC

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: f3d9290ac79bc720b7678574b5840b39c231de1d0d1f2c254346a3a04ae2393b
Instruction ID: b621c1c226b30afe745cf4f1e3e48f784603284b53a5ab07a526edd00336111a
Opcode Fuzzy Hash: f3d9290ac79bc720b7678574b5840b39c231de1d0d1f2c254346a3a04ae2393b
Instruction Fuzzy Hash: 19C12B75A04109AFCB14DFA4C888DAEBFF9FF48314B148499E919EB261D734EE41CB90

Function 0061541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00615504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00615515
CharNextW.USER32(00000158), ref: 00615544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00615585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0061559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006155AC

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 9bf5113b031655652f3eaa521414c3a23304d49947427febfa57fbb278067ad6
Instruction ID: 8fae9ee0c1182e74902489bc1f43fef8d8342b70ced4c1a0ea5094e8b48fdc81
Opcode Fuzzy Hash: 9bf5113b031655652f3eaa521414c3a23304d49947427febfa57fbb278067ad6
Instruction Fuzzy Hash: 8E619230900609EFDF109F54CC849FEBBBBEB89721F188545F526AA290D7748AC1DBA1

Function 005DFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005DFAAF
SafeArrayAllocData.OLEAUT32(?), ref: 005DFB08
VariantInit.OLEAUT32(?), ref: 005DFB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 005DFB3A
VariantCopy.OLEAUT32(?,?), ref: 005DFB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 005DFBA1
VariantClear.OLEAUT32(?), ref: 005DFBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 005DFBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005DFBCC
VariantClear.OLEAUT32(?), ref: 005DFBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005DFBE9

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 97e907acc518004f2f302c0a60958e9332a14da51844885e6174b647472ec470
Instruction ID: 19e4451ef45328c139085465177acaea6585280d8956eae5f3ae961f52f40b50
Opcode Fuzzy Hash: 97e907acc518004f2f302c0a60958e9332a14da51844885e6174b647472ec470
Instruction Fuzzy Hash: DA413135A04219DFDB10DF68D8589EDBFB9FF48354F04806BE946A7361D730A945CB90

Function 005E9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005E9CA1
GetAsyncKeyState.USER32(000000A0), ref: 005E9D22
GetKeyState.USER32(000000A0), ref: 005E9D3D
GetAsyncKeyState.USER32(000000A1), ref: 005E9D57
GetKeyState.USER32(000000A1), ref: 005E9D6C
GetAsyncKeyState.USER32(00000011), ref: 005E9D84
GetKeyState.USER32(00000011), ref: 005E9D96
GetAsyncKeyState.USER32(00000012), ref: 005E9DAE
GetKeyState.USER32(00000012), ref: 005E9DC0
GetAsyncKeyState.USER32(0000005B), ref: 005E9DD8
GetKeyState.USER32(0000005B), ref: 005E9DEA

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0bb13039e8928057f5eb3c54d06d250574c80d304c4c07a98c844ad14838ca9c
Instruction ID: f368491abbf89fe727c4966c1d8136253042562712cb220235602b54a09203ff
Opcode Fuzzy Hash: 0bb13039e8928057f5eb3c54d06d250574c80d304c4c07a98c844ad14838ca9c
Instruction Fuzzy Hash: A84107745047D96EFF389B6289043F5BEE17F11304F08805ACAC6561C2DBA49DD8C7A2

Function 0060055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006005BC
inet_addr.WSOCK32(?), ref: 0060061C
gethostbyname.WSOCK32(?), ref: 00600628
IcmpCreateFile.IPHLPAPI ref: 00600636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006006C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006006E5
IcmpCloseHandle.IPHLPAPI(?), ref: 006007B9
WSACleanup.WSOCK32 ref: 006007BF

Strings

Ping, xrefs: 00600676

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 89ddc9b733c7ba2ac431362b8b8dfce38f53d619db45523230da4091fad533d2
Instruction ID: 3fe04391c8a20f31172018061d5f6681fadc8fb9217642e16caa78fa0aee307b
Opcode Fuzzy Hash: 89ddc9b733c7ba2ac431362b8b8dfce38f53d619db45523230da4091fad533d2
Instruction Fuzzy Hash: 7191BF346442019FE724DF14C888F5ABBE2BF84318F1885A9F4699B7A2C774EC41CF81

Function 00608CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00608CF3

Part of subcall function 005E8E54: _wcslen.LIBCMT ref: 005E8E77

_wcslen.LIBCMT ref: 00608D4E
_wcslen.LIBCMT ref: 00608D9C
_wcslen.LIBCMT ref: 00608DDC
_wcslen.LIBCMT ref: 00608E6E

Strings

stdcall, xrefs: 00608DD6, 00608DDB
cdecl, xrefs: 00608D48, 00608D4D
winapi, xrefs: 00608D96, 00608D9B
none, xrefs: 00608E65, 00608E6A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a990e92dfb97a1e9c951a777960704999c2ea9f93518c472a4750e26a1ded6ff
Instruction ID: b58aeaafa3d985d4671e0c4745e9c75f2321261acaf50fca6bcaae7b15e81c4a
Opcode Fuzzy Hash: a990e92dfb97a1e9c951a777960704999c2ea9f93518c472a4750e26a1ded6ff
Instruction Fuzzy Hash: 16518E31A405179FCB18DF68C9508FFB7A6BFA5720B254229E8A6A73C4DB30DD41CB90

Function 0060372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00603774
CoUninitialize.OLE32 ref: 0060377F
CoCreateInstance.OLE32(?,00000000,00000017,0061FB78,?), ref: 006037D9
IIDFromString.OLE32(?,?), ref: 0060384C
VariantInit.OLEAUT32(?), ref: 006038E4
VariantClear.OLEAUT32(?), ref: 00603936

Strings

Invalid parameter, xrefs: 00603865
Failed to create object, xrefs: 006037E4, 0060389A
NULL Pointer assignment, xrefs: 0060381E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: aeff653869d7a9cfe7b12cfd89674acd5468a3520fa7dfd01205b31eb2e3f1f9
Instruction ID: c71d4f91443bec4a5dfca83f23035bfff72c560d80b4d0e833fa11ed6eba1a24
Opcode Fuzzy Hash: aeff653869d7a9cfe7b12cfd89674acd5468a3520fa7dfd01205b31eb2e3f1f9
Instruction Fuzzy Hash: 6C61CF70248311AFD314DF54C888BABBBEABF88711F044849F9859B391D770EE49CB92

Function 00618B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

Part of subcall function 0059912D: GetCursorPos.USER32(?), ref: 00599141
Part of subcall function 0059912D: ScreenToClient.USER32(00000000,?), ref: 0059915E
Part of subcall function 0059912D: GetAsyncKeyState.USER32(00000001), ref: 00599183
Part of subcall function 0059912D: GetAsyncKeyState.USER32(00000002), ref: 0059919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00618B6B
ImageList_EndDrag.COMCTL32 ref: 00618B71
ReleaseCapture.USER32 ref: 00618B77
SetWindowTextW.USER32(?,00000000), ref: 00618C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00618C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00618CFF

Strings

@GUI_DRAGFILE, xrefs: 00618C9A
@GUI_DROPID, xrefs: 00618C51
p#e, xrefs: 00618C71

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#e
API String ID: 1924731296-1096792570
Opcode ID: 141b70181b34d4579e4b5365ab33cdbd6c736fd1ba64759e48aed7a0db2cb1cc
Instruction ID: 007535ba31f90fa21de593bf1f246497598d5174d505eb21050a195d3f293797
Opcode Fuzzy Hash: 141b70181b34d4579e4b5365ab33cdbd6c736fd1ba64759e48aed7a0db2cb1cc
Instruction Fuzzy Hash: 4E517C70204305AFD700EF24DC5ABAE7BE6FB89715F04062DF956A72A1CB719D44CBA2

Function 005F3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 005F33CF

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005F33F0

Strings

"%s" (%d) : ==> %s:, xrefs: 005F3522
"%s" (%d) : ==> %s:%s%s, xrefs: 005F3504
Line %d (File "%s"):, xrefs: 005F3443, 005F345C
Error: , xrefs: 005F34D1
Incorrect parameters to object property !, xrefs: 005F34AB
^ ERROR , xrefs: 005F349E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 81b7d8cf46d78c356beb932a4770b44254a9d64b050657f0de9f953adbda3a85
Instruction ID: 8b72b28225ba5646181d4841acfb4fd5e0648431b38500572dc4c6c57ba84d81
Opcode Fuzzy Hash: 81b7d8cf46d78c356beb932a4770b44254a9d64b050657f0de9f953adbda3a85
Instruction Fuzzy Hash: 9F519F7190020AAADF14FBA0CD4AEFEBB7ABF85300F144465F90572062EB252F58DB61

Function 005EB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005EB5FC
_wcslen.LIBCMT ref: 005EB608
_wcslen.LIBCMT ref: 005EB64D
_wcslen.LIBCMT ref: 005EB68C
_wcslen.LIBCMT ref: 005EB6C7

Strings

KEYS, xrefs: 005EB647, 005EB64C
EXISTS, xrefs: 005EB686, 005EB68B
APPEND, xrefs: 005EB6C1, 005EB6C6
REMOVE, xrefs: 005EB602, 005EB607

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 6d83a4f9d704a935ae5f56936a4a248218f2e020006bca2f337a852e52429189
Instruction ID: 67d70d6b26b539af11192d8a46885b8a08d95dd888d68d47d57c0a507e8ef376
Opcode Fuzzy Hash: 6d83a4f9d704a935ae5f56936a4a248218f2e020006bca2f337a852e52429189
Instruction Fuzzy Hash: 0A410A32A001679ADB246F7EC8905BFBFB5BFA1795B244129E4A1D7284E731CD81C790

Function 005F5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005F53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005F5416
GetLastError.KERNEL32 ref: 005F5420
SetErrorMode.KERNEL32(00000000,READY), ref: 005F54A7

Strings

READONLY, xrefs: 005F5452
INVALID, xrefs: 005F5459
UNKNOWN, xrefs: 005F5444
NOTREADY, xrefs: 005F544B
READY, xrefs: 005F5460, 005F5468

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a5138fd60eeaa8b2c0b01cb5b923a1609138cc6585866d25b3a6478a163a00a4
Instruction ID: 0b21e93ac8fcc9433da245b2c140e907c85c0df6be51cbe8c5bcef5fc1e8b62e
Opcode Fuzzy Hash: a5138fd60eeaa8b2c0b01cb5b923a1609138cc6585866d25b3a6478a163a00a4
Instruction Fuzzy Hash: ED31B335A006099FCB10DF68C488BBABFB5FF45305F188059EA05DB252E775DD86CBA1

Function 00613C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00613C79
SetMenu.USER32(?,00000000), ref: 00613C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00613D10
IsMenu.USER32(?), ref: 00613D24
CreatePopupMenu.USER32 ref: 00613D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00613D5B
DrawMenuBar.USER32 ref: 00613D63

Strings

0, xrefs: 00613C54
F, xrefs: 00613D4E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 4f4932fc3e59bcd06c6b30589145224be533b2435c78c0672f4675f59d292028
Instruction ID: d62f3fac65b431999197ddfd42eeb22f2db3b5345349c6aa2db764293ec22e02
Opcode Fuzzy Hash: 4f4932fc3e59bcd06c6b30589145224be533b2435c78c0672f4675f59d292028
Instruction Fuzzy Hash: 14416779A01219AFDB14CF64E884AEA7BB6FF49354F184029E946A7360D770AA10CB94

Function 00613A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00613A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00613AA0
GetWindowLongW.USER32(?,000000F0), ref: 00613AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00613AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00613B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00613BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00613BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00613BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00613BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00613C13

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: cc63b96557194b0a6099e5c05b8f0532574d2cf5da9d26e42a185dbe45e0c484
Instruction ID: a1b2757bd07508a43a022a792cc07eb5582dafb7d8d8fe028753263019e06448
Opcode Fuzzy Hash: cc63b96557194b0a6099e5c05b8f0532574d2cf5da9d26e42a185dbe45e0c484
Instruction Fuzzy Hash: 08619A75900258AFDB10DFA8CC81EEE77B9EB09310F14419AFA15AB3A1D770AE81DB50

Function 005EB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005EB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB165
GetWindowThreadProcessId.USER32(00000000), ref: 005EB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 005EB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,005EA1E1,?,00000001), ref: 005EB21D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: a294c0b6932338be2a63d67a4b67e94ab4b3ddada17c7107f5b4d4d6a418ac18
Instruction ID: a001f6f38d05548244bb18efa961a2cf8dcfb7ff0f3307756767b841c0a737b1
Opcode Fuzzy Hash: a294c0b6932338be2a63d67a4b67e94ab4b3ddada17c7107f5b4d4d6a418ac18
Instruction Fuzzy Hash: CB31AC79540354BFEB18DF25DC48BAE7FAABF50763F149005FA40D6290D7B49A008F64

Function 005B2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005B2C94

Part of subcall function 005B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005B2CA0
_free.LIBCMT ref: 005B2CAB
_free.LIBCMT ref: 005B2CB6
_free.LIBCMT ref: 005B2CC1
_free.LIBCMT ref: 005B2CCC
_free.LIBCMT ref: 005B2CD7
_free.LIBCMT ref: 005B2CE2
_free.LIBCMT ref: 005B2CED
_free.LIBCMT ref: 005B2CFB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 958b8e5660d8463c1b7d31c9fb4606ab330286717d895aa087077b6ebe35f6f0
Instruction ID: 77a90cdfb58d8841efc75902c46adbe3c340455488423abb4172afe0f4723488
Opcode Fuzzy Hash: 958b8e5660d8463c1b7d31c9fb4606ab330286717d895aa087077b6ebe35f6f0
Instruction Fuzzy Hash: 1B116276500109BFCB02EF54D986CDD3FA5BF49350F5149A5FA4C9B222DA31FA909BA0

Function 005F7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005F7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 005F7FC1
GetFileAttributesW.KERNEL32(?), ref: 005F7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 005F8005
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8017
SetCurrentDirectoryW.KERNEL32(?), ref: 005F8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005F80B0

Strings

*.*, xrefs: 005F8066

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 5e8ece8ee318201273c6636d85e99a6d88b9938ae9a2c3af1e5c2a8373c29408
Instruction ID: a6bc9ff36636aa1c57612e3325e1d3c6d84ae2cc6f545b1e83f378ea0de962bb
Opcode Fuzzy Hash: 5e8ece8ee318201273c6636d85e99a6d88b9938ae9a2c3af1e5c2a8373c29408
Instruction Fuzzy Hash: 56819D725082099BCB20EF24C8489BEBBE9BF89314F544C5EFA95D7250EB38DD458B52

Function 00585BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00585C7A

Part of subcall function 00585D0A: GetClientRect.USER32(?,?), ref: 00585D30
Part of subcall function 00585D0A: GetWindowRect.USER32(?,?), ref: 00585D71
Part of subcall function 00585D0A: ScreenToClient.USER32(?,?), ref: 00585D99

GetDC.USER32 ref: 005C46F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005C4708
SelectObject.GDI32(00000000,00000000), ref: 005C4716
SelectObject.GDI32(00000000,00000000), ref: 005C472B
ReleaseDC.USER32(?,00000000), ref: 005C4733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005C47C4

Strings

U, xrefs: 005C4693

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 599854c6685d731939e1bd5cefd24b3b9333148b0da17a6999fc47dc1ccc465f
Instruction ID: 541ce78656780a79a3c8970bf928f3e0157f0cc9fc3041af3637fe6eaa722244
Opcode Fuzzy Hash: 599854c6685d731939e1bd5cefd24b3b9333148b0da17a6999fc47dc1ccc465f
Instruction Fuzzy Hash: 84719931400205DFCF219FA4C994EAA7FB6FF4A364F184269ED556A2AAD3318882DF50

Function 005F359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005F35E4

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

LoadStringW.USER32(00652390,?,00000FFF,?), ref: 005F360A

Strings

"%s" (%d) : ==> %s:, xrefs: 005F3742
"%s" (%d) : ==> %s:%s%s, xrefs: 005F3724
Line %d (File "%s"):, xrefs: 005F366B
^ ERROR, xrefs: 005F36C9
Error: , xrefs: 005F36EF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: c3cb9d95f5f315a4b4487b10d4a72da0b8dad88f51fba4181859ba8c4b114e1e
Instruction ID: 61360197982ebb4a763822ba854230f3e6f04ad194686299ba549fa6acb0964e
Opcode Fuzzy Hash: c3cb9d95f5f315a4b4487b10d4a72da0b8dad88f51fba4181859ba8c4b114e1e
Instruction Fuzzy Hash: 5C513A7180020AAADF14FBA0CC4AEFEBF79BF85301F144125F605721A1EB351B99DBA1

Function 005FC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005FC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005FC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005FC2CA
GetLastError.KERNEL32 ref: 005FC322
SetEvent.KERNEL32(?), ref: 005FC336
InternetCloseHandle.WININET(00000000), ref: 005FC341

Strings

, xrefs: 005FC2BB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 55fd6d6e0d431a000ab08f86b9c18732a7fa0c80f9ba9858d473b14802d85d87
Instruction ID: 5d6c73e7186b2ba9b182244d9f7235bd847625a9a692895635189afd95349ca8
Opcode Fuzzy Hash: 55fd6d6e0d431a000ab08f86b9c18732a7fa0c80f9ba9858d473b14802d85d87
Instruction Fuzzy Hash: C93171B164020CAFD7219F648D88ABF7FFDFB49794B14892EF54692240DB38DD049B61

Function 005E989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005C3AAF,?,?,Bad directive syntax error,0061CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 005E98BC
LoadStringW.USER32(00000000,?,005C3AAF,?), ref: 005E98C3

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005E9987

Strings

., xrefs: 005E996D
%s (%d) : ==> %s.: %s %s, xrefs: 005E98F1
Line %d:, xrefs: 005E9912
Line %d (File "%s"):, xrefs: 005E992D
Error: , xrefs: 005E9955

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: c396ee9666ef6628c47b8b6abae1139d360c64fad8e8a38c5ac792a6e3adaaab
Instruction ID: 1831e97e5689ccb5020e4ab76d70ffd4832b0aea71e591d3bdf2c01ebb877b2e
Opcode Fuzzy Hash: c396ee9666ef6628c47b8b6abae1139d360c64fad8e8a38c5ac792a6e3adaaab
Instruction Fuzzy Hash: 8121803194021BABCF15AF90CC0AEEE7B76BF59700F084429F915720A2EB759A18CB51

Function 005E209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005E20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 005E20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005E214D

Strings

details, xrefs: 005E20FB
SHELLDLL_DefView, xrefs: 005E20CC
list, xrefs: 005E212F
smallicons, xrefs: 005E2115
largeicons, xrefs: 005E20E1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 843b1b11847211c4187ebc27df7c5d74b8f21789e287ba913a303e0f4b6f8073
Instruction ID: cf18bbdfa396266464bcab1c6aaaf43ef535395cb498765913f773c11846634c
Opcode Fuzzy Hash: 843b1b11847211c4187ebc27df7c5d74b8f21789e287ba913a303e0f4b6f8073
Instruction Fuzzy Hash: 12113A762C8707BBF70D2221DC0ADEA3F9DEB06324F200016F745A40E6FAB159419914

Function 005BCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 005BCEB7
_free.LIBCMT ref: 005BCF22
_free.LIBCMT ref: 005BCF48
_free.LIBCMT ref: 005BCF71
_free.LIBCMT ref: 005BCFA9
_free.LIBCMT ref: 005BCFDA
_free.LIBCMT ref: 005BD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 005BD09C
_free.LIBCMT ref: 005BD0B5

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: ed434a90838df64a039bbe4a9d06a94c553261c3954826e98c44add3008f21af
Instruction ID: 7921f0c8ce9711ebafdd97aa57dbdef8910872750344e27f861638ef401b5497
Opcode Fuzzy Hash: ed434a90838df64a039bbe4a9d06a94c553261c3954826e98c44add3008f21af
Instruction Fuzzy Hash: 48614771904306AFDB21AFB49889AFE7FA6FF45310F1446ADF94597242E631BD008B64

Function 006150D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00615186
ShowWindow.USER32(?,00000000), ref: 006151C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 006151CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 006151D1

Part of subcall function 00616FBA: DeleteObject.GDI32(00000000), ref: 00616FE6

GetWindowLongW.USER32(?,000000F0), ref: 0061520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0061521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0061524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00615287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00615296

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 158a725521f03c818eb44a85475c010ab3e7f21ef7a9030a2bbd36b039a15d9b
Instruction ID: d275fa65893ef8f0b26f56ad4e6ff31c09addf64ad765cb1b9326c74f2211cf4
Opcode Fuzzy Hash: 158a725521f03c818eb44a85475c010ab3e7f21ef7a9030a2bbd36b039a15d9b
Instruction Fuzzy Hash: 6551B631A50A09FEEF219F24CC4ABD8BB67FB85321F1C8116F516962E0C7B59AD0DB40

Function 00598B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 005D6890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 005D68A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005D68B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 005D68D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005D68F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00598874,00000000,00000000,00000000,000000FF,00000000), ref: 005D6901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005D691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00598874,00000000,00000000,00000000,000000FF,00000000), ref: 005D692D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 2ac061df274ced206bdfcff034763960652aa0b09b1be01f141e3c54999f7012
Instruction ID: c9979d388ff56e96af2c2ff1f484d669ae10cb8f013c9ef16531d8156d9b0c7e
Opcode Fuzzy Hash: 2ac061df274ced206bdfcff034763960652aa0b09b1be01f141e3c54999f7012
Instruction Fuzzy Hash: 21518870600209EFDF20CF28CC55FAA7BB6FB89760F18451AF952972A0DB70E991DB50

Function 005FC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005FC182
GetLastError.KERNEL32 ref: 005FC195
SetEvent.KERNEL32(?), ref: 005FC1A9

Part of subcall function 005FC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005FC272
Part of subcall function 005FC253: GetLastError.KERNEL32 ref: 005FC322
Part of subcall function 005FC253: SetEvent.KERNEL32(?), ref: 005FC336
Part of subcall function 005FC253: InternetCloseHandle.WININET(00000000), ref: 005FC341

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 8f6f7e6cf137c42ba23aa3f62c7a6c50333957e7188db3070a660650298e0887
Instruction ID: 124148affbe56cc02285837c9801022257073ccfadf085fa7065d2baf99a18ea
Opcode Fuzzy Hash: 8f6f7e6cf137c42ba23aa3f62c7a6c50333957e7188db3070a660650298e0887
Instruction Fuzzy Hash: 9031A17514060DAFDB219FA5DE44ABABFF9FF58310B04842EFA9682610C734E914DB60

Function 005E25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005E3A57
Part of subcall function 005E3A3D: GetCurrentThreadId.KERNEL32 ref: 005E3A5E
Part of subcall function 005E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005E25B3), ref: 005E3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 005E25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005E25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 005E25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 005E25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005E2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 005E2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 005E260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005E2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 005E2627

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a195eaef08ec8eef26a8e98df70c287f1b54595e78dba90071e83a1e4624855e
Instruction ID: 0eead54c64f71ed9dff00c35b5a03068e4b38cd726362625991f90a5b846baa5
Opcode Fuzzy Hash: a195eaef08ec8eef26a8e98df70c287f1b54595e78dba90071e83a1e4624855e
Instruction Fuzzy Hash: 1101B5302D0354BBFB106769DC8EF9D3E5AEB8AB21F105012F358AF0D5C9E114449AA9

Function 005E1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,005E1449,?,?,00000000), ref: 005E180C
HeapAlloc.KERNEL32(00000000,?,005E1449,?,?,00000000), ref: 005E1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005E1449,?,?,00000000), ref: 005E1828
GetCurrentProcess.KERNEL32(?,00000000,?,005E1449,?,?,00000000), ref: 005E1830
DuplicateHandle.KERNEL32(00000000,?,005E1449,?,?,00000000), ref: 005E1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005E1449,?,?,00000000), ref: 005E1843
GetCurrentProcess.KERNEL32(005E1449,00000000,?,005E1449,?,?,00000000), ref: 005E184B
DuplicateHandle.KERNEL32(00000000,?,005E1449,?,?,00000000), ref: 005E184E
CreateThread.KERNEL32(00000000,00000000,005E1874,00000000,00000000,00000000), ref: 005E1868

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 57298dd5da0c68e45fef432f597c941488c647c3374faf95316db5bb9820af89
Instruction ID: de2144346a22f212eb9674165833dde58122bf0d2c9b6de712f3814f9506575e
Opcode Fuzzy Hash: 57298dd5da0c68e45fef432f597c941488c647c3374faf95316db5bb9820af89
Instruction Fuzzy Hash: 3A01BFB52C0744BFE710AB65DC4EF9B7B6DEB89B11F049411FA05DB191C6709800CB20

Function 0060A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 005ED4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 005ED501
Part of subcall function 005ED4DC: Process32FirstW.KERNEL32(00000000,?), ref: 005ED50F
Part of subcall function 005ED4DC: CloseHandle.KERNELBASE(00000000), ref: 005ED5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0060A16D
GetLastError.KERNEL32 ref: 0060A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0060A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0060A268
GetLastError.KERNEL32(00000000), ref: 0060A273
CloseHandle.KERNEL32(00000000), ref: 0060A2C4

Strings

SeDebugPrivilege, xrefs: 0060A18F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1fa7fa5a56e3b8e5d6ab676d2b32d1c13ade662986be94dd6fb2a2672fed00b0
Instruction ID: 5a8f66be46f6e6cf08cc7f637c2e47ce742a7299afe66fa20e6fc9ce5a823451
Opcode Fuzzy Hash: 1fa7fa5a56e3b8e5d6ab676d2b32d1c13ade662986be94dd6fb2a2672fed00b0
Instruction Fuzzy Hash: 9B618C30244342AFD714DF55C498F5ABBA2AF84358F18849CE4668BBA3C772ED45CB92

Function 00613886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00613925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0061393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00613954
_wcslen.LIBCMT ref: 00613999
SendMessageW.USER32(?,00001057,00000000,?), ref: 006139C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006139F4

Strings

SysListView32, xrefs: 006138F7

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: ceafc7f20c0fe6acbb555a9f8ef3865f24785ac05ef61759418dbdd5144d227c
Instruction ID: da334ab4c14c167b8815e4e36b17ec735b9559c1eb0f09eee1f553061da1b952
Opcode Fuzzy Hash: ceafc7f20c0fe6acbb555a9f8ef3865f24785ac05ef61759418dbdd5144d227c
Instruction Fuzzy Hash: C541A371A00219ABEF219F64CC49BEE7BAAFF48350F140526F959E7381D7719E84CB90

Function 005EBC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005EBCFD
IsMenu.USER32(00000000), ref: 005EBD1D
CreatePopupMenu.USER32 ref: 005EBD53
GetMenuItemCount.USER32(01385138), ref: 005EBDA4
InsertMenuItemW.USER32(01385138,?,00000001,00000030), ref: 005EBDCC

Strings

2, xrefs: 005EBD37
0, xrefs: 005EBCA8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 8e722f69d79aac438d27a9c1433f9edba08cbcf0e28e98acb2cccbf3bc4acc5b
Instruction ID: b7f2dd68f8a880339e65e228f3973f2dcc7834704550aec5f5a9e18468786247
Opcode Fuzzy Hash: 8e722f69d79aac438d27a9c1433f9edba08cbcf0e28e98acb2cccbf3bc4acc5b
Instruction Fuzzy Hash: 6251D170A0028A9BEF18CFAACE88BAFBFF5BF45316F148159E491D7290D7709940CB51

Function 005A2D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005A2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 005A2D53
_ValidateLocalCookies.LIBCMT ref: 005A2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 005A2E0C
_ValidateLocalCookies.LIBCMT ref: 005A2E61

Strings

&HZ, xrefs: 005A2DFE, 005A2E07, 005A2E18
csm, xrefs: 005A2DF6

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HZ$csm
API String ID: 1170836740-3069864593
Opcode ID: fd4c9fd5c432b96565d0de94e914c589a820b79a0296604a0f81d5ab0cd5d2e2
Instruction ID: 8d97833571b92919cd2e30723a6a72d707c2c1bb910938419147496dd4115f8f
Opcode Fuzzy Hash: fd4c9fd5c432b96565d0de94e914c589a820b79a0296604a0f81d5ab0cd5d2e2
Instruction Fuzzy Hash: 86417134A0120AABCF10DF6CC856A9EBFA5BF86328F148155E814AB353D735DE56CB90

Function 005EC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 005EC913

Strings

warning, xrefs: 005EC8FC
stop, xrefs: 005EC8E4
question, xrefs: 005EC8CC
info, xrefs: 005EC8B4
blank, xrefs: 005EC895

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 95e3f9e10cb32de1680c06eaf3a05bc494f6d4a46449736ff29b83424aa7eef8
Instruction ID: 60f11ba1b258f55f90bad220468c67b3489fe7f10bd4cd30a903c9d60b0cd51d
Opcode Fuzzy Hash: 95e3f9e10cb32de1680c06eaf3a05bc494f6d4a46449736ff29b83424aa7eef8
Instruction Fuzzy Hash: 95115B31689347BAE7089B55DC82CAE2F9CFF16724B11002AF440E6183D7B4ED415669

Function 006140AD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0058600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0058604C
Part of subcall function 0058600E: GetStockObject.GDI32(00000011), ref: 00586060
Part of subcall function 0058600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00614112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0061411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0061412A
SendMessageW.USER32(?,00000401,00000000,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 00614139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00614145

Strings

_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 0061412C
Msctls_Progress32, xrefs: 006140E3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 1025951953-2851661608
Opcode ID: f1a303739460f764a7d1b2c41bea4d02ef2c7533bb19a12dda7ace2c011a7244
Instruction ID: 95bb7e2b7762469e6bed30ae9e05cb79287202abe0721ccc0630b55e11f15ff6
Opcode Fuzzy Hash: f1a303739460f764a7d1b2c41bea4d02ef2c7533bb19a12dda7ace2c011a7244
Instruction Fuzzy Hash: 9E11B6B2140219BEEF119F64CC86EE77F5EEF09798F014111FA18A6150CB729C61DBA4

Function 005EDE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005EDE42
gethostname.WSOCK32(?,00000100), ref: 005EDE5C
gethostbyname.WSOCK32(?), ref: 005EDE69
inet_ntoa.WSOCK32(?), ref: 005EDEAB
_strcat.LIBCMT ref: 005EDEB9
WSACleanup.WSOCK32 ref: 005EDEDE

Strings

0.0.0.0, xrefs: 005EDE87

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 6a0824207e435390bf8d696397cdd3d9bd77340f4d316d1e1a985eee5b3ba93c
Instruction ID: caa00988461ec10407e5dfa44eee6f7055e122583a34857f0c9a5806f3f2cac1
Opcode Fuzzy Hash: 6a0824207e435390bf8d696397cdd3d9bd77340f4d316d1e1a985eee5b3ba93c
Instruction Fuzzy Hash: BB11E771904115AFCB246B61DC4EDEF7FBDFB55720F05016AF44596091EFB18A818A60

Function 005EED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 005EED2A
_wcslen.LIBCMT ref: 005EED3B
_wcslen.LIBCMT ref: 005EED79
_wcslen.LIBCMT ref: 005EEDAF
_wcslen.LIBCMT ref: 005EEDDF
_wcslen.LIBCMT ref: 005EEDEF
_wcslen.LIBCMT ref: 005EEE2B
_wcslen.LIBCMT ref: 005EEE5A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: f0d7bb799f8bfdc160f7987e9d983afb804a8358ca862f928f2e0c69f99dc7a7
Instruction ID: 303f6f56d9b620b4046b38a7cb826e55058d11f66bd954f8943cf006aa6967e5
Opcode Fuzzy Hash: f0d7bb799f8bfdc160f7987e9d983afb804a8358ca862f928f2e0c69f99dc7a7
Instruction Fuzzy Hash: 15419265C10159A9CB11EBF48C8EACFBBACBF86310F508466E514E3122EB34D255C7A5

Function 0059F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005D682C,00000004,00000000,00000000), ref: 0059F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,005D682C,00000004,00000000,00000000), ref: 005DF3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,005D682C,00000004,00000000,00000000), ref: 005DF454

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: ef75d15257b67a064a0ea27e3e4be8b91f98d065bf6cf461d9e78415f0eb7357
Instruction ID: 23b90a52de5eb829d1be95d3bf87b812842e870cea76bc824c636be83fe91437
Opcode Fuzzy Hash: ef75d15257b67a064a0ea27e3e4be8b91f98d065bf6cf461d9e78415f0eb7357
Instruction Fuzzy Hash: 04412B31608680BECF399B3DD88876A7F93BB56324F18983FE047D6660D675A880C711

Function 00612D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00612D1B
GetDC.USER32(00000000), ref: 00612D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00612D2E
ReleaseDC.USER32(00000000,00000000), ref: 00612D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00612D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00612D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00615A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00612DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00612DE1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 9f696234702e7dceee56c7041f1e27ffb437e3ba6552f4f369223aa517b23e99
Instruction ID: bdd20e641fc508b0894b24db4846ffe830fe5f8b1c38b075f06c029763eb7da6
Opcode Fuzzy Hash: 9f696234702e7dceee56c7041f1e27ffb437e3ba6552f4f369223aa517b23e99
Instruction Fuzzy Hash: 00317F72241214BFEB158F50DC8AFEB3BAAEF09725F089056FE089A291C6759C50C7A4

Function 005E5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 005E5637
_memcmp.LIBVCRUNTIME ref: 005E5659
_memcmp.LIBVCRUNTIME ref: 005E5671
_memcmp.LIBVCRUNTIME ref: 005E5684
_memcmp.LIBVCRUNTIME ref: 005E569E
_memcmp.LIBVCRUNTIME ref: 005E56B1
_memcmp.LIBVCRUNTIME ref: 005E56C9
_memcmp.LIBVCRUNTIME ref: 005E56E4

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9d40ec30f82f0db53b2684ebc26a24abe042a62c03dde289a645ace78fc3cb0c
Instruction ID: fb7497cf17406f08632d70095259fbd811abef6cab5d28a94a64d946d9c363f1
Opcode Fuzzy Hash: 9d40ec30f82f0db53b2684ebc26a24abe042a62c03dde289a645ace78fc3cb0c
Instruction Fuzzy Hash: 4121D761640E4A7BD61C9B228E92FFF3B5DBF6138CF480421FD469A581F760ED1081E9

Function 00604FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00605007
NULL Pointer assignment, xrefs: 0060502E, 00605383

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: decf06b7190a5bde10842ac61e5bd74ddc608c9bd303a8cc2f70f98b4a25ea5c
Instruction ID: 664959d6cd927b940ed858cefa8abec2b7995a41799b5720f20b35794dc7fd1d
Opcode Fuzzy Hash: decf06b7190a5bde10842ac61e5bd74ddc608c9bd303a8cc2f70f98b4a25ea5c
Instruction Fuzzy Hash: 02D19E71A8060A9FDF18CF98C885AEFB7B6BF48344F148469E916AB281E770DD45CF50

Function 005C1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 005C15CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005C1651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,005C17FB,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005C16E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005C16FB

Part of subcall function 005B3820: RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,005C17FB,00000000,00000000,?,00000000,?,?,?,?), ref: 005C1777
__freea.LIBCMT ref: 005C17A2
__freea.LIBCMT ref: 005C17AE

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f1549b5ca5da1db9f649441cc1a4b5c2e73e4a67c2e4d29b04f82f8592bae8c2
Instruction ID: 487cc0da234390410194debd652d22a333561348585104de0268bcd3027ad589
Opcode Fuzzy Hash: f1549b5ca5da1db9f649441cc1a4b5c2e73e4a67c2e4d29b04f82f8592bae8c2
Instruction Fuzzy Hash: AE918071E00A169EDB208EA4C995FEE7FF5FB4A710F18465DE802E6142DB25DC408BA8

Function 00604523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00604648
VariantInit.OLEAUT32(?), ref: 00604749
VariantClear.OLEAUT32(?), ref: 00604753
VariantClear.OLEAUT32(?), ref: 006047B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 006045D8, 00604706, 006047BE
Incorrect Object type in FOR..IN loop, xrefs: 0060472C

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 8f85f76044a455452caad64d72fe064e75755a08f9d2d76f90ac2788dc21b4ec
Instruction ID: ba640af9e28db937237654e9a1b1c4a3d43f3b16d3ad4592bf4f519c98faa2b9
Opcode Fuzzy Hash: 8f85f76044a455452caad64d72fe064e75755a08f9d2d76f90ac2788dc21b4ec
Instruction Fuzzy Hash: E29171B1A40215ABDF34CFA4C844FEFBBBAEF46714F148559F605AB280DB709941CBA0

Function 005F1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 005F125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 005F1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 005F12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005F12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005F135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005F13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 005F1430

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 625db872bd1d72213170c937e7784b4dd1df2efc675d209195692f29cdf3f6c7
Instruction ID: 0d313535bf0c233c5f5cac17d087ea236434190f63f7cf8ca400ee50c5a476ea
Opcode Fuzzy Hash: 625db872bd1d72213170c937e7784b4dd1df2efc675d209195692f29cdf3f6c7
Instruction Fuzzy Hash: E891E475A0060DDFDB00DF94C889BBEBBB5FF85325F144429EA10EB291D778A941CB98

Function 0059948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: ce4a47aea2f9059eb8d8ead51db68f2e19e1b06573408fbae7ebd78f108c0de8
Instruction ID: 5c68c7ee12af64bd612b42a50bde9fc299746e1b63d429a76627262e571e0740
Opcode Fuzzy Hash: ce4a47aea2f9059eb8d8ead51db68f2e19e1b06573408fbae7ebd78f108c0de8
Instruction Fuzzy Hash: 02912571940219AFCF11CFA9C888AEEBFB9FF89320F14845AE515B7251D375A941CB60

Function 00603947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0060396B
CharUpperBuffW.USER32(?,?), ref: 00603A7A
_wcslen.LIBCMT ref: 00603A8A
VariantClear.OLEAUT32(?), ref: 00603C1F

Part of subcall function 005F0CDF: VariantInit.OLEAUT32(00000000), ref: 005F0D1F
Part of subcall function 005F0CDF: VariantCopy.OLEAUT32(?,?), ref: 005F0D28
Part of subcall function 005F0CDF: VariantClear.OLEAUT32(?), ref: 005F0D34

Strings

AUTOIT.ERROR, xrefs: 00603A80, 00603A85
Incorrect Parameter format, xrefs: 006039A6, 00603BA1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 83c69567ff7e19e8f06954fad940af0acb2d6a4c5344d75338c5503dfe86b09c
Instruction ID: 23e406550ced2f07a8bf3701c9586669b24c14a138897c03f78718e9743b396e
Opcode Fuzzy Hash: 83c69567ff7e19e8f06954fad940af0acb2d6a4c5344d75338c5503dfe86b09c
Instruction Fuzzy Hash: 769149746083069FC704EF24C48596BBBE9BF89315F14882DF8899B391DB30EE05CB92

Function 00604BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 005E000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?,?,005E035E), ref: 005E002B
Part of subcall function 005E000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0046
Part of subcall function 005E000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0054
Part of subcall function 005E000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?), ref: 005E0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00604C51
_wcslen.LIBCMT ref: 00604D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00604DCF
CoTaskMemFree.OLE32(?), ref: 00604DDA

Strings

NULL Pointer assignment, xrefs: 00604E23, 00604E52

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 947061b5a50429d3284fa7381110663343e6a67fabd0fdfa470ce3efd90cb8b5
Instruction ID: f7fc782109b6b244c147f039471aacf696b3427082542817b28d57fd567c1f0d
Opcode Fuzzy Hash: 947061b5a50429d3284fa7381110663343e6a67fabd0fdfa470ce3efd90cb8b5
Instruction Fuzzy Hash: D3912AB1D0021E9FDF24DFA4C895AEEBBB9BF48310F10456AE915B7291DB305A45CF60

Function 006120FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00612183
GetMenuItemCount.USER32(00000000), ref: 006121B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006121DD
_wcslen.LIBCMT ref: 00612213
GetMenuItemID.USER32(?,?), ref: 0061224D
GetSubMenu.USER32(?,?), ref: 0061225B

Part of subcall function 005E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005E3A57
Part of subcall function 005E3A3D: GetCurrentThreadId.KERNEL32 ref: 005E3A5E
Part of subcall function 005E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005E25B3), ref: 005E3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006122E3

Part of subcall function 005EE97B: Sleep.KERNEL32 ref: 005EE9F3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 408cc4d9d3e884ee605d340bbd1f16b930d2be1593e8c0b1ccea32bf72df9f94
Instruction ID: 94b5487c9938fcc8500577dd451eefe98606c5a744b280172b0fad7daf4f42da
Opcode Fuzzy Hash: 408cc4d9d3e884ee605d340bbd1f16b930d2be1593e8c0b1ccea32bf72df9f94
Instruction Fuzzy Hash: 8F718675A00206AFCB14DF64C855AEEBBF6FF88310F188459E916EB351D734EE918B90

Function 005EAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 005EAEF9
GetKeyboardState.USER32(?), ref: 005EAF0E
SetKeyboardState.USER32(?), ref: 005EAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 005EAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 005EAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 005EAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005EB020

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 995dbd38a57dd6cad0602a00d0dd8f6fe032f47875d6ae2910b6d247479d4176
Instruction ID: 8034480678ff9cab08a87f1a98fe5674cffed3b63e6cd7aa1fbdc13d4c86675f
Opcode Fuzzy Hash: 995dbd38a57dd6cad0602a00d0dd8f6fe032f47875d6ae2910b6d247479d4176
Instruction Fuzzy Hash: 3C51C2A06047D53DFB3A83368849BBB7EA96B46304F088589E1E9458C3C398BCC4D751

Function 005EACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 005EAD19
GetKeyboardState.USER32(?), ref: 005EAD2E
SetKeyboardState.USER32(?), ref: 005EAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005EADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005EADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005EAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005EAE38

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6b1fddffbed921a7c136927dd38095ee5c895adddadd52bb80dd2d46d1baac73
Instruction ID: 0a9bae7e5c3e013c020fd677771d64f49e15ce9acf9e266c9d3fcb10f2872efd
Opcode Fuzzy Hash: 6b1fddffbed921a7c136927dd38095ee5c895adddadd52bb80dd2d46d1baac73
Instruction Fuzzy Hash: 8051F5A19047D53DFB3B83368C95BBABEA97F46300F088489E1D5468C2C294FC88D762

Function 005B542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(005C3CD6,?,?,?,?,?,?,?,?,005B5BA3,?,?,005C3CD6,?,?), ref: 005B5470
__fassign.LIBCMT ref: 005B54EB
__fassign.LIBCMT ref: 005B5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,005C3CD6,00000005,00000000,00000000), ref: 005B552C
WriteFile.KERNEL32(?,005C3CD6,00000000,005B5BA3,00000000,?,?,?,?,?,?,?,?,?,005B5BA3,?), ref: 005B554B
WriteFile.KERNEL32(?,?,00000001,005B5BA3,00000000,?,?,?,?,?,?,?,?,?,005B5BA3,?), ref: 005B5584

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 310fe5589f8d7d596c5135ddae833cd239de687902609023d4ebe56c0cf1b2b9
Instruction ID: 314934ae5c5a8ec0164b52eac4f7c0bcc71f55c5d81758a379decbf9e7af596a
Opcode Fuzzy Hash: 310fe5589f8d7d596c5135ddae833cd239de687902609023d4ebe56c0cf1b2b9
Instruction Fuzzy Hash: 1851CF70A00649AFDB24CFA8D845BEEBFF9FF09301F14451AE955E7291E630AA41CB60

Function 006010B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0060304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0060307A
Part of subcall function 0060304E: _wcslen.LIBCMT ref: 0060309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00601112
WSAGetLastError.WSOCK32 ref: 00601121
WSAGetLastError.WSOCK32 ref: 006011C9
closesocket.WSOCK32(00000000), ref: 006011F9

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 5c2eea30a42bdecf5ea7e7cd76b696dbafa4776d7ce622e217da9a1372df5d3e
Instruction ID: c3ea9dd9ec3d3a45dcee27fbc19678eefeec4bec942f034cc9ef29b632745820
Opcode Fuzzy Hash: 5c2eea30a42bdecf5ea7e7cd76b696dbafa4776d7ce622e217da9a1372df5d3e
Instruction Fuzzy Hash: 3B41B231640214AFDB189F24C884BEABBAAFF46328F148099FD159F3D1D770AD41CBA1

Function 005ECF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005ECF22,?), ref: 005EDDFD

Part of subcall function 005EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005ECF22,?), ref: 005EDE16

lstrcmpiW.KERNEL32(?,?), ref: 005ECF45
MoveFileW.KERNEL32(?,?), ref: 005ECF7F
_wcslen.LIBCMT ref: 005ED005
_wcslen.LIBCMT ref: 005ED01B
SHFileOperationW.SHELL32(?), ref: 005ED061

Strings

\*.*, xrefs: 005ECFF3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 89c9b12026a1b5e928a37972abd197d7b2da47cc0b951c56ebdd88ed9b66ab71
Instruction ID: d075fe5f6bf10c5d3e491a9e50a00307444dfe519be27c124e1a6a01171859c9
Opcode Fuzzy Hash: 89c9b12026a1b5e928a37972abd197d7b2da47cc0b951c56ebdd88ed9b66ab71
Instruction Fuzzy Hash: C3419471C452595FDF16EBA1C985ADEBFB9BF48380F0000E6E545EB141EA34E689CB50

Function 00612DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00612E1C
GetWindowLongW.USER32(?,000000F0), ref: 00612E4F
GetWindowLongW.USER32(?,000000F0), ref: 00612E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00612EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00612EE0
GetWindowLongW.USER32(?,000000F0), ref: 00612EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00612F0B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e1f6d30885c9ee8af80c20fafc87156773fcdcd229965de4ee25a72ced588e49
Instruction ID: f7a950446eee939d730dfe2408f1ccf123ea5612a235550f298c1fb86a6f94d8
Opcode Fuzzy Hash: e1f6d30885c9ee8af80c20fafc87156773fcdcd229965de4ee25a72ced588e49
Instruction Fuzzy Hash: 7F31F4306442529FDB21CF58DC94FE937E2EB4A721F195165FA148F2B1CB71ACA09B41

Function 005E7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005E7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005E778F
SysAllocString.OLEAUT32(00000000), ref: 005E7792
SysAllocString.OLEAUT32(?), ref: 005E77B0
SysFreeString.OLEAUT32(?), ref: 005E77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 005E77DE
SysAllocString.OLEAUT32(?), ref: 005E77EC

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5a0b335489f0049fcf5ffa5d98bec9857b92e2753eb671ce5390125c9ce0b0f7
Instruction ID: ee2e045779ad33b2ad040f4c5a35343e07c084518bfa4943d069994a1a40bb27
Opcode Fuzzy Hash: 5a0b335489f0049fcf5ffa5d98bec9857b92e2753eb671ce5390125c9ce0b0f7
Instruction Fuzzy Hash: 90219C76608269AFDF149FA9CC88CBB7BADFB093647048426FA54DB150D6709C428760

Function 005E77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005E7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005E7868
SysAllocString.OLEAUT32(00000000), ref: 005E786B
SysAllocString.OLEAUT32 ref: 005E788C
SysFreeString.OLEAUT32 ref: 005E7895
StringFromGUID2.OLE32(?,?,00000028), ref: 005E78AF
SysAllocString.OLEAUT32(?), ref: 005E78BD

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9ab9ea43264c651c5cf4fe53e3885bc0c516c43dd9e72a64e99f1014157bf616
Instruction ID: b1e7886006c00f1042f326bc74c116badadadb9d33815a2ec90059ddfd29d516
Opcode Fuzzy Hash: 9ab9ea43264c651c5cf4fe53e3885bc0c516c43dd9e72a64e99f1014157bf616
Instruction Fuzzy Hash: EB21B03160C258AFDB149FA9CC8CDAA7BECFB1C3607148026F954CB2A0D670DC41CB64

Function 005F04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005F04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005F052E

Strings

nul, xrefs: 005F0567

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 5c1174da66db0664f05dfb0d2215cd78696e8e941f880b5b988c04234620ce65
Instruction ID: b0019f55552a28f220096bf29bf11f360550d74d7fc43b3d2cf5d290187d549c
Opcode Fuzzy Hash: 5c1174da66db0664f05dfb0d2215cd78696e8e941f880b5b988c04234620ce65
Instruction Fuzzy Hash: CD218D71600319ABDF208F29DC44ABA7BE5BF44724F285A19FAA1D72E1D7B4D940CF20

Function 005F05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005F05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005F0601

Strings

nul, xrefs: 005F0639

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c17fd760c18ef1a7c8749f0794e29334a9136f918b0ab78d852cdadea3c0e491
Instruction ID: c613f9a73e685b88f8368041e616ba8e7d65f5d7ba910419d52b64b0bbc39742
Opcode Fuzzy Hash: c17fd760c18ef1a7c8749f0794e29334a9136f918b0ab78d852cdadea3c0e491
Instruction Fuzzy Hash: B421B5755003199BDB208F68CC04ABA7BE4BF85730F285E19FEA1E72D1D7B49960CB10

Function 005BD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005BD7A3: _free.LIBCMT ref: 005BD7CC

_free.LIBCMT ref: 005BD82D

Part of subcall function 005B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005BD838
_free.LIBCMT ref: 005BD843
_free.LIBCMT ref: 005BD897
_free.LIBCMT ref: 005BD8A2
_free.LIBCMT ref: 005BD8AD
_free.LIBCMT ref: 005BD8B8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 21708a90843faba8f5ea19126ed09bea41547f114c2211c4078815b09ff9d0a0
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: E811F671940B05BADA21BFB0CC4AFCB7FACBF84700F404C25B29DA6492EA69B5458670

Function 005EDA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005EDA74
LoadStringW.USER32(00000000), ref: 005EDA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005EDA91
LoadStringW.USER32(00000000), ref: 005EDA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005EDADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 005EDAB9

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 3cf1742cf2f45c1552899fb39e2a07dc033e52f318e7b71c7ce93adca9e2c5c7
Instruction ID: 030b7e27e49c61daa21e51c7bb92e50c992329139a7a92edfb9cdcbb3c59d2cf
Opcode Fuzzy Hash: 3cf1742cf2f45c1552899fb39e2a07dc033e52f318e7b71c7ce93adca9e2c5c7
Instruction Fuzzy Hash: 260186F65402087FE7109BA4DD89EEB377DE708311F4494A2B746E2041E6749E844F74

Function 005F096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0137E538,0137E538), ref: 005F097B
EnterCriticalSection.KERNEL32(0137E518,00000000), ref: 005F098D
TerminateThread.KERNEL32(?,000001F6), ref: 005F099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 005F09A9
CloseHandle.KERNEL32(?), ref: 005F09B8
InterlockedExchange.KERNEL32(0137E538,000001F6), ref: 005F09C8
LeaveCriticalSection.KERNEL32(0137E518), ref: 005F09CF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 794b098e86dc2d266884600c1907bc130577d8057ef8e92a7903c963ffdf26c6
Instruction ID: 7017d79fda1f3a860348c9ac5b0fbfa5ba4e017e696e9fb062a2f399475d41c9
Opcode Fuzzy Hash: 794b098e86dc2d266884600c1907bc130577d8057ef8e92a7903c963ffdf26c6
Instruction Fuzzy Hash: 7DF08131482A12BBD7411F90EE8CBEA7B36FF01712F487012F201518A1C7789561CF90

Function 00601C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00601DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00601DE1
WSAGetLastError.WSOCK32 ref: 00601DF2
htons.WSOCK32(?,?,?,?,?), ref: 00601EDB
inet_ntoa.WSOCK32(?), ref: 00601E8C

Part of subcall function 005E39E8: _strlen.LIBCMT ref: 005E39F2

Part of subcall function 00603224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,005FEC0C), ref: 00603240

_strlen.LIBCMT ref: 00601F35

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 95effd5f867d5238932deda762bc0cbf30d6a0ef578e75aff39e8990c14df9c1
Instruction ID: 11196386fdfac7b80a7e90bec24c818acda5c8537a58902c46c34ae2640cb2e3
Opcode Fuzzy Hash: 95effd5f867d5238932deda762bc0cbf30d6a0ef578e75aff39e8990c14df9c1
Instruction Fuzzy Hash: 2FB1A030244342AFD718EF24C895E6A7BE6AF85318F54854CF4565F2E2DB31ED42CB91

Function 00585D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00585D30
GetWindowRect.USER32(?,?), ref: 00585D71
ScreenToClient.USER32(?,?), ref: 00585D99
GetClientRect.USER32(?,?), ref: 00585ED7
GetWindowRect.USER32(?,?), ref: 00585EF8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 9a0fa702767438b0899af682e68f6819f909a54170bbf370f930af65bfecc585
Instruction ID: 475bfe18bbbb00a5667f8a4905a85e67bc69c53f9948d1c815aba35d0627e63e
Opcode Fuzzy Hash: 9a0fa702767438b0899af682e68f6819f909a54170bbf370f930af65bfecc585
Instruction Fuzzy Hash: D7B16A74A0064ADFDB10DFA9C840BEEBBF5FF54310F14981AE8A9E7250E734AA51DB50

Function 005B01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005B00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005B00D6
__allrem.LIBCMT ref: 005B00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005B010B
__allrem.LIBCMT ref: 005B0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005B0140

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: f4cfb48a8f83fa9c5c3ef31e7fd4651a35d814c7f93e5713bcc2f30027ceae2d
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: A181C571A00B069FE724AE68CC45BAF7BE9BF82764F24453EF551D62C1E7B0E9008754

Function 005B61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,005A82D9,005A82D9,?,?,?,005B644F,00000001,00000001,8BE85006), ref: 005B6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,005B644F,00000001,00000001,8BE85006,?,?,?), ref: 005B62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 005B63D8
__freea.LIBCMT ref: 005B63E5

Part of subcall function 005B3820: RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

__freea.LIBCMT ref: 005B63EE
__freea.LIBCMT ref: 005B6413

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 6d328cc8eb4a0d70116267497f684ded03bdbbf91e8137c9c7708440080560de
Instruction ID: 876d44cb00b03b70172f3040cf197247a90358f2cd75212166bf4d9712a10a3b
Opcode Fuzzy Hash: 6d328cc8eb4a0d70116267497f684ded03bdbbf91e8137c9c7708440080560de
Instruction Fuzzy Hash: 4B519172600216ABEB258F64DC85EEF7FAAFB84750F154A29FD05D7140DB38EC44DA60

Function 0060BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 0060C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060C9F1
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA68
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060BD25
RegCloseKey.ADVAPI32(00000000), ref: 0060BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0060BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0060BDF3
RegCloseKey.ADVAPI32(?), ref: 0060BDFF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d0a0ae8b81ea8b5c50b274209a37e31f7e3998ed3e31d68bba4ff7f43ba8ba7e
Instruction ID: 782e32f8f7361c1d19c346f6dedec179a5ccec49bd1f7ffe5120f412252cd0b9
Opcode Fuzzy Hash: d0a0ae8b81ea8b5c50b274209a37e31f7e3998ed3e31d68bba4ff7f43ba8ba7e
Instruction Fuzzy Hash: A0818F30108242AFD718DF24C895E6BBBE6FF84308F14995DF4559B2A2DB31ED45CB92

Function 005DF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 005DF7B9
SysAllocString.OLEAUT32(00000001), ref: 005DF860
VariantCopy.OLEAUT32(005DFA64,00000000), ref: 005DF889
VariantClear.OLEAUT32(005DFA64), ref: 005DF8AD
VariantCopy.OLEAUT32(005DFA64,00000000), ref: 005DF8B1
VariantClear.OLEAUT32(?), ref: 005DF8BB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: e0e8e669fb1daed50fdbd98836ada5cac1079e44e1a1659d24a15b065068f586
Instruction ID: b092bf448c11cc679a86ae71f4bf050d0df5be60abb01b8150944cee96b1d310
Opcode Fuzzy Hash: e0e8e669fb1daed50fdbd98836ada5cac1079e44e1a1659d24a15b065068f586
Instruction Fuzzy Hash: 3551B831940311BADF30AB69D899B297BA9FF85310B149467ED07EF391D7708C40D766

Function 005F910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00587620: _wcslen.LIBCMT ref: 00587625

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 005F94E5
_wcslen.LIBCMT ref: 005F9506
_wcslen.LIBCMT ref: 005F952D
GetSaveFileNameW.COMDLG32(00000058), ref: 005F9585

Strings

X, xrefs: 005F9412

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 0e5a45aea1f62f7b61261b817684df740fda087416e07fbd420d94855a71dccc
Instruction ID: 26885c4a848ebc4632f856b9c1ad0b5dd2674c8db51b3bc103e6d42288f5c4d4
Opcode Fuzzy Hash: 0e5a45aea1f62f7b61261b817684df740fda087416e07fbd420d94855a71dccc
Instruction Fuzzy Hash: 60E1A0315087028FD724EF24C485B6ABBE4BFC5314F14896DF9899B2A2EB35DD05CB92

Function 0059920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

BeginPaint.USER32(?,?,?), ref: 00599241
GetWindowRect.USER32(?,?), ref: 005992A5
ScreenToClient.USER32(?,?), ref: 005992C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005992D3
EndPaint.USER32(?,?,?,?,?), ref: 00599321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 005D71EA

Part of subcall function 00599339: BeginPath.GDI32(00000000), ref: 00599357

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: fa731d7af67211ba5a954d81abe4260a1cb0ce26fc322be8fca8f7d72eb0dddf
Instruction ID: cefd9f91a68c44efb140fe5410154c75cb747200cdc63d3964b7196097f921fb
Opcode Fuzzy Hash: fa731d7af67211ba5a954d81abe4260a1cb0ce26fc322be8fca8f7d72eb0dddf
Instruction Fuzzy Hash: BE419D70104301AFDB21DF68CC85FAA7FA9FB8A321F14062EF9958B2A1D7319845DB61

Function 005F07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005F080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 005F0847
EnterCriticalSection.KERNEL32(?), ref: 005F0863
LeaveCriticalSection.KERNEL32(?), ref: 005F08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 005F08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 005F0921

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 125a82b005ee86d96aae0ae77ba3a6a1e636ba9d61e605529406174cb636ce05
Instruction ID: c438df804b9656d15fd162bc33a4f9b10667e9d63c37fd7361879dc13f247b7d
Opcode Fuzzy Hash: 125a82b005ee86d96aae0ae77ba3a6a1e636ba9d61e605529406174cb636ce05
Instruction Fuzzy Hash: 9A416A71A00209EBDF15AF54DC85AAA7BB9FF44310F1880A5ED00DB297DB74DE64DBA0

Function 006181DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,005DF3AB,00000000,?,?,00000000,?,005D682C,00000004,00000000,00000000), ref: 0061824C
EnableWindow.USER32(?,00000000), ref: 00618272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 006182D1
ShowWindow.USER32(?,00000004), ref: 006182E5
EnableWindow.USER32(?,00000001), ref: 0061830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0061832F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 58a99b7619243bd5c8e7c4d994cfc524f7d7490398438534d5265d34c1d2a3fa
Instruction ID: 2729b4835d8e4cd98055135dc509b74d276e9ac43d58f4b69318773f677823b6
Opcode Fuzzy Hash: 58a99b7619243bd5c8e7c4d994cfc524f7d7490398438534d5265d34c1d2a3fa
Instruction Fuzzy Hash: 53419234601644AFDB22CF64C899BE87BF2BB0A715F1C5169E5184F2A2CB71A981CB90

Function 005E4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005E4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005E4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005E4CEA
_wcslen.LIBCMT ref: 005E4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005E4D10
_wcsstr.LIBVCRUNTIME ref: 005E4D1A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 73b21a4e5c07463e14f6a74cb532818cf70cdaf3f8b0d9e67abc00c8c05cfce4
Instruction ID: 21165d63d564f150b9439b94ca2df877f3df1c34a67d1e992a699ca7e8005cd9
Opcode Fuzzy Hash: 73b21a4e5c07463e14f6a74cb532818cf70cdaf3f8b0d9e67abc00c8c05cfce4
Instruction Fuzzy Hash: 8D21F9316042417BEB195B3A9D49E7F7F9DEF85760F14802AF849CA192DA61DC409BA0

Function 005F581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00583AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00583A97,?,?,00582E7F,?,?,?,00000000), ref: 00583AC2

_wcslen.LIBCMT ref: 005F587B
CoInitialize.OLE32(00000000), ref: 005F5995
CoCreateInstance.OLE32(0061FCF8,00000000,00000001,0061FB68,?), ref: 005F59AE
CoUninitialize.OLE32 ref: 005F59CC

Strings

.lnk, xrefs: 005F5876, 005F58C1, 005F5985

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: a747670718a3101e897d22a4fe95adc96091057e54e1afce5c97fe79779480fc
Instruction ID: e1960a119ddf3e974749b960caa91469e4c68c2f65cf6ee9952ac0035aa72aef
Opcode Fuzzy Hash: a747670718a3101e897d22a4fe95adc96091057e54e1afce5c97fe79779480fc
Instruction Fuzzy Hash: 8DD176716087069FC714EF24C48492ABBE5FF89710F14885DFA8A9B361EB35EC45CB92

Function 005E175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005E0FCA
Part of subcall function 005E0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005E0FD6
Part of subcall function 005E0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005E0FE5
Part of subcall function 005E0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005E0FEC
Part of subcall function 005E0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005E1002

GetLengthSid.ADVAPI32(?,00000000,005E1335), ref: 005E17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005E17BA
HeapAlloc.KERNEL32(00000000), ref: 005E17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 005E17DA
GetProcessHeap.KERNEL32(00000000,00000000,005E1335), ref: 005E17EE
HeapFree.KERNEL32(00000000), ref: 005E17F5

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: b868c15609e126bcddb069fc4e28a1759bbac013f9a2510216c651d4caa2ebc9
Instruction ID: 95366090e07b507685a1555db490a3e5f13675fd458156c9bb8fb0349c9fa6f9
Opcode Fuzzy Hash: b868c15609e126bcddb069fc4e28a1759bbac013f9a2510216c651d4caa2ebc9
Instruction Fuzzy Hash: FE11BE31580605FFDB189FA5CC49BEE7BBAFB45765F148019F48197210C736A940DB64

Function 005E14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005E14FF
OpenProcessToken.ADVAPI32(00000000), ref: 005E1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005E1515
CloseHandle.KERNEL32(00000004), ref: 005E1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005E154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 005E1563

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 6cd21c987a596613cf82ab3e8cf6170bddf1b26a1631d51c6b7d57a302552bc6
Instruction ID: aa91672b2f8441bee1458edc118d598a30988134b77fe7fb747f41c65c84348f
Opcode Fuzzy Hash: 6cd21c987a596613cf82ab3e8cf6170bddf1b26a1631d51c6b7d57a302552bc6
Instruction Fuzzy Hash: 67115972500289ABDF118F98DD49FDE7BAAFF48714F088016FA45A21A0C3728E60DB64

Function 005A3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005A3379,005A2FE5), ref: 005A3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005A339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005A33B7
SetLastError.KERNEL32(00000000,?,005A3379,005A2FE5), ref: 005A3409

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 58c805a30bfef9ff3b045007f93de85c074629238f624a662fbc443fd55c108f
Instruction ID: 705121828291b76ba1ef54e06b76884afaf6970357cec95e655a0f06d3a2ede5
Opcode Fuzzy Hash: 58c805a30bfef9ff3b045007f93de85c074629238f624a662fbc443fd55c108f
Instruction Fuzzy Hash: F601243260E312BEEF6427B47C995AF2E95FB4777D730022AF420812F0EF124D059544

Function 005B2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005B5686,005C3CD6,?,00000000,?,005B5B6A,?,?,?,?,?,005AE6D1,?,00648A48), ref: 005B2D78
_free.LIBCMT ref: 005B2DAB
_free.LIBCMT ref: 005B2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,005AE6D1,?,00648A48,00000010,00584F4A,?,?,00000000,005C3CD6), ref: 005B2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,005AE6D1,?,00648A48,00000010,00584F4A,?,?,00000000,005C3CD6), ref: 005B2DEC
_abort.LIBCMT ref: 005B2DF2

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 5ae1a8db71410871e571ffc074946e9ade577d39eedb4e071b30148a50fd491a
Instruction ID: 0d69f56ff0ec4b4c3d6e980fcbe05af9be55f6e0f070da86411fe603f387b5df
Opcode Fuzzy Hash: 5ae1a8db71410871e571ffc074946e9ade577d39eedb4e071b30148a50fd491a
Instruction Fuzzy Hash: 21F0A4365456026BC7223738AC0EADE2D5ABFC67B1F254919F82892196EE24B8025170

Function 00618A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00599639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00599693
Part of subcall function 00599639: SelectObject.GDI32(?,00000000), ref: 005996A2
Part of subcall function 00599639: BeginPath.GDI32(?), ref: 005996B9
Part of subcall function 00599639: SelectObject.GDI32(?,00000000), ref: 005996E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00618A4E
LineTo.GDI32(?,00000003,00000000), ref: 00618A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00618A70
LineTo.GDI32(?,00000000,00000003), ref: 00618A80
EndPath.GDI32(?), ref: 00618A90
StrokePath.GDI32(?), ref: 00618AA0

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 2df1c7f03fcb1ab430b4f08813e171c2a819dd29bfd8a41d79e327bf0052c1ad
Instruction ID: faaf4e3bf579199abc9b1d4651d5fe7ed74e065ee536eac2cdb07d6af2f509ae
Opcode Fuzzy Hash: 2df1c7f03fcb1ab430b4f08813e171c2a819dd29bfd8a41d79e327bf0052c1ad
Instruction Fuzzy Hash: 6811F77604010DFFDB129F95DC88EEA7F6EEB08365F04C012BA199A1A1C7729D55DBA0

Function 005E51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005E5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 005E5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005E5230
ReleaseDC.USER32(00000000,00000000), ref: 005E5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 005E524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 005E5261

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 0d55de6bbc2333cf46c6b0c91f66ab7473e72cc6438c167f6f3da31e28d1207a
Instruction ID: 4c8c2ef166c692817bfcd447150a0cbadb9c37a8fd6e7c313653233bc2e990a5
Opcode Fuzzy Hash: 0d55de6bbc2333cf46c6b0c91f66ab7473e72cc6438c167f6f3da31e28d1207a
Instruction Fuzzy Hash: D601A775E40705BBEB109BA69C49E9EBF79FF48361F049066FA04A7280D670DC00CFA0

Function 00581BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00581BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00581BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00581C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00581C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00581C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00581C22

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: f1edd80e3ad51506fe3a8b2a5692aba4832c19d83e576f85069044e8bfb9c506
Instruction ID: 34886289471188d47ef0f7657e5334dbd231efe9fbde9e165c9f3e795de1c486
Opcode Fuzzy Hash: f1edd80e3ad51506fe3a8b2a5692aba4832c19d83e576f85069044e8bfb9c506
Instruction Fuzzy Hash: 560167B0942B5ABDE3008F6A8C85B56FFA8FF19354F04411BA15C4BA42C7F5A864CBE5

Function 005EEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005EEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005EEB46
GetWindowThreadProcessId.USER32(?,?), ref: 005EEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005EEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005EEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005EEB75

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 957922c9cfd9eea3308d50a2b013753e83a2bd51d1b7a45e37c6b0882c985292
Instruction ID: 7b898d8579f17c1bbd9ff12cbf66c9ca11af58d5e15758f3a88054259518acb3
Opcode Fuzzy Hash: 957922c9cfd9eea3308d50a2b013753e83a2bd51d1b7a45e37c6b0882c985292
Instruction Fuzzy Hash: 93F09A72280568BBE7215B629C0EEEF3E7DEFCAB21F04915AF601D1090E7A01A01C6B4

Function 005D7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 005D7452
SendMessageW.USER32(?,00001328,00000000,?), ref: 005D7469
GetWindowDC.USER32(?), ref: 005D7475
GetPixel.GDI32(00000000,?,?), ref: 005D7484
ReleaseDC.USER32(?,00000000), ref: 005D7496
GetSysColor.USER32(00000005), ref: 005D74B0

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 6102c6fc76077552a72bb9ed1455bc50eb43e1f886334e273813b795c3edf8b7
Instruction ID: e6ba147ebfcbeb6dce0522952a0ea47a25829c643373b2ae45bafccccde1a933
Opcode Fuzzy Hash: 6102c6fc76077552a72bb9ed1455bc50eb43e1f886334e273813b795c3edf8b7
Instruction Fuzzy Hash: D2018B31440219EFDB619F68DC08BEE7FB6FB08322F589066F915A21A0CB311E51EB50

Function 005E1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005E187F
UnloadUserProfile.USERENV(?,?), ref: 005E188B
CloseHandle.KERNEL32(?), ref: 005E1894
CloseHandle.KERNEL32(?), ref: 005E189C
GetProcessHeap.KERNEL32(00000000,?), ref: 005E18A5
HeapFree.KERNEL32(00000000), ref: 005E18AC

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 86df54c2818f76a06d12b8bdc8e5ac166e1398c53121ddd7f0b44788b3f6d6e4
Instruction ID: c6e870b05475c535a55d10fd0c5517748bf0531005a150b2a2c0d1f3c78fb270
Opcode Fuzzy Hash: 86df54c2818f76a06d12b8bdc8e5ac166e1398c53121ddd7f0b44788b3f6d6e4
Instruction Fuzzy Hash: 83E0C236484A51BBDB015BA1ED0D98ABB2AFB49B32B14D222F225810B0CB729420EB50

Function 0058BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0058BEB3

Strings

D%e, xrefs: 0058BCA2
D%eD%e, xrefs: 0058BCA5
D%e, xrefs: 0058BE9A
D%e, xrefs: 0058BDED, 0058BD91, 0058BD1B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%e$D%e$D%e$D%eD%e
API String ID: 1385522511-4060382725
Opcode ID: 158f5abb3c332663e7c301b06d5bb8c30268bbd93655ee3c44423b77a0ea53c8
Instruction ID: 7fee58eb461eb351cd2c99f200e7631d145df823db510f54b35e6fb388b103ba
Opcode Fuzzy Hash: 158f5abb3c332663e7c301b06d5bb8c30268bbd93655ee3c44423b77a0ea53c8
Instruction Fuzzy Hash: 61915B75A0020ADFDB18DF58C0916AABBF6FF59310F24856AD981AB351E731ED81CBD0

Function 00607B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 005A0242: EnterCriticalSection.KERNEL32(0065070C,00651884,?,?,0059198B,00652518,?,?,?,005812F9,00000000), ref: 005A024D
Part of subcall function 005A0242: LeaveCriticalSection.KERNEL32(0065070C,?,0059198B,00652518,?,?,?,005812F9,00000000), ref: 005A028A

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005A00A3: __onexit.LIBCMT ref: 005A00A9

__Init_thread_footer.LIBCMT ref: 00607BFB

Part of subcall function 005A01F8: EnterCriticalSection.KERNEL32(0065070C,?,?,00598747,00652514), ref: 005A0202
Part of subcall function 005A01F8: LeaveCriticalSection.KERNEL32(0065070C,?,00598747,00652514), ref: 005A0235

Strings

Variable must be of type 'Object'., xrefs: 00607C3A
+T], xrefs: 00607E2E
G, xrefs: 00607C7F
5, xrefs: 00607C78

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +T]$5$G$Variable must be of type 'Object'.
API String ID: 535116098-1530314938
Opcode ID: 379a75fcb7beb88c2efc734e34a3e7b3b985cd22cfcf583e6829564e3ca6a7e1
Instruction ID: ddc66470a52c5c82d309a076ddafa590a000b745d571042c03c379fe6d51c348
Opcode Fuzzy Hash: 379a75fcb7beb88c2efc734e34a3e7b3b985cd22cfcf583e6829564e3ca6a7e1
Instruction Fuzzy Hash: 6D919B70A44209AFDB08EF54D8959EEBBB2FF85300F148059F806AB3D2DB31AE41CB50

Function 005EC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00587620: _wcslen.LIBCMT ref: 00587625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005EC6EE
_wcslen.LIBCMT ref: 005EC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005EC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005EC7CA

Strings

0, xrefs: 005EC6AF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: b78c86e4b8e8a5d9c8cf4f0b005112eb7057b55bb0a9fd3ceee6e2731ae1c066
Instruction ID: 1aacab822cbe38b94e28fa20918c0c7b4a76aa210cabd3f9ce716ec6d5651b68
Opcode Fuzzy Hash: b78c86e4b8e8a5d9c8cf4f0b005112eb7057b55bb0a9fd3ceee6e2731ae1c066
Instruction Fuzzy Hash: 4151BF716043819BD7189F2AC889B6B7FE8FF8A314F040A2DF9D5E6190DB60DD068B52

Function 0060AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0060AEA3

Part of subcall function 00587620: _wcslen.LIBCMT ref: 00587625

GetProcessId.KERNEL32(00000000), ref: 0060AF38
CloseHandle.KERNEL32(00000000), ref: 0060AF67

Strings

<, xrefs: 0060AE6B
@, xrefs: 0060AE72

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 853112986aedfc12e526ea116d81090f76818ef2cf32a1917ec52db70221da72
Instruction ID: 23cf328ce23afb4be2fdd5f5d1a7a8203e9ee6afa6907735e68d2cbb7b98f197
Opcode Fuzzy Hash: 853112986aedfc12e526ea116d81090f76818ef2cf32a1917ec52db70221da72
Instruction Fuzzy Hash: 22718C71A0021ADFCB14EF94C488A9EBBF1FF48314F148499E856AB3A2D774ED41CB91

Function 005E719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005E7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005E723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005E724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005E72CF

Strings

DllGetClassObject, xrefs: 005E7242

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 92567a89a32eb5fae6a9418a248969a01f9d422dae5c5f59c3830d9ce62ddaa0
Instruction ID: 5b781c833236d7c21c79b8fa370ac93b58cac6378135799cbb074d1f6f656e28
Opcode Fuzzy Hash: 92567a89a32eb5fae6a9418a248969a01f9d422dae5c5f59c3830d9ce62ddaa0
Instruction Fuzzy Hash: 624194B5604249EFDB19CF55C884A9A7FAAFF48310F1484A9BE059F20AD7B0DD44DBA0

Function 00613D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00613E35
IsMenu.USER32(?), ref: 00613E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00613E92
DrawMenuBar.USER32 ref: 00613EA5

Strings

0, xrefs: 00613D89

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 785d34ab2b4f2889f1735bb2ab031165fb571dde8a53635afe3c7270510c264a
Instruction ID: fdf2b2f2e8aa6b4eb18b9416e330568b20bc38f682acda8808dcd8a9ac3b2e81
Opcode Fuzzy Hash: 785d34ab2b4f2889f1735bb2ab031165fb571dde8a53635afe3c7270510c264a
Instruction Fuzzy Hash: 50414D75A00319EFDB10DF50D884ADABBB6FF45350F08411AE90697360D730AE95CF50

Function 005E1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005E1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005E1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 005E1EA9

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

Strings

ListBox, xrefs: 005E1E25
ComboBox, xrefs: 005E1DF0

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: b174557a4fc944500da179b2543a4e93a8440dfd734dd53ba4e0deb4dbbbd31c
Instruction ID: 1d4bad761f676ed62306ced051be9819284cfabe583a7b3923494b8b7347b772
Opcode Fuzzy Hash: b174557a4fc944500da179b2543a4e93a8440dfd734dd53ba4e0deb4dbbbd31c
Instruction Fuzzy Hash: 77210471A00145AFDB18AB61CC4ACFFBFADFF81360B144119F865A72E1DB344D058720

Function 00612F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00612F8D
LoadLibraryW.KERNEL32(?), ref: 00612F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00612FA9
DestroyWindow.USER32(?), ref: 00612FB1

Strings

SysAnimate32, xrefs: 00612F68

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 6d11ff92b1f6c8ac7f1617a52d54bcccae219c23491f59e5cfd596dd5f707484
Instruction ID: c263c011f579e796da3e6cd113a62f2004ce2194d40f175c722c6abbdb0e02f5
Opcode Fuzzy Hash: 6d11ff92b1f6c8ac7f1617a52d54bcccae219c23491f59e5cfd596dd5f707484
Instruction Fuzzy Hash: A721CD7124020AAFEB108F64DCA4FFB37BEEB59764F188219F950D6290D771DCA29760

Function 006141EB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0061424F
SendMessageW.USER32(?,00000406,00000000,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 00614264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00614271

Strings

_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00614256
msctls_trackbar32, xrefs: 00614226

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend
String ID: _______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{$msctls_trackbar32
API String ID: 3850602802-3430821868
Opcode ID: 54b46c93097417e5f1e14350a73dd810758ba37dfb2c3b21855331c3b08d3740
Instruction ID: 29212bbc2623ab74d1e6167d06ef07559fde1e8d0f6779815a0da22b9224da42
Opcode Fuzzy Hash: 54b46c93097417e5f1e14350a73dd810758ba37dfb2c3b21855331c3b08d3740
Instruction Fuzzy Hash: 0211E031240208BEEF209F28CC06FEB3BAEEF95B64F150124FA55E71A0D671DC919B20

Function 005A4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,005A4D1E,005B28E9,?,005A4CBE,005B28E9,006488B8,0000000C,005A4E15,005B28E9,00000002), ref: 005A4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005A4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,005A4D1E,005B28E9,?,005A4CBE,005B28E9,006488B8,0000000C,005A4E15,005B28E9,00000002,00000000), ref: 005A4DC3

Strings

mscoree.dll, xrefs: 005A4D86
CorExitProcess, xrefs: 005A4D98

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5e9e74f5fe4ef90c465d5dd88eb5152697be625f0fbab53f774a2edce04da884
Instruction ID: cf19c7132a811aca7d3fd628bca3a9fa74efa4e1ab78755e13a1f75867a87ac3
Opcode Fuzzy Hash: 5e9e74f5fe4ef90c465d5dd88eb5152697be625f0fbab53f774a2edce04da884
Instruction Fuzzy Hash: 54F04F35A80218BBDB119F94DC49BEDBFBAEF85761F0440A5F805A2260CB719940CE90

Function 00584E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00584EDD,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00584EAE
FreeLibrary.KERNEL32(00000000,?,?,00584EDD,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 00584EA8
kernel32.dll, xrefs: 00584E94

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ee672699c31be385faf558ac3f63507948022cd74e70613464d5799182acbb38
Instruction ID: b8bb6400ad7f412d6904903f59a6f6e97b420cbf3dd4e1ea0679f0def384a95e
Opcode Fuzzy Hash: ee672699c31be385faf558ac3f63507948022cd74e70613464d5799182acbb38
Instruction Fuzzy Hash: E3E0CD35A815336BD3312B256C19B9F6A5DBFC1F7270D4116FC00F2210DB60CD0545A1

Function 00584E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,005C3CDE,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00584E74
FreeLibrary.KERNEL32(00000000,?,?,005C3CDE,?,00651418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00584E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00584E6E
kernel32.dll, xrefs: 00584E5B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 2245f9beb25c84ca1d35476cff511405a5b9783a50840d6ac4f0ea65edb5f402
Instruction ID: 83c3aba89d0199e693a5d768377e8e37363b977fa21327ea5a15177f16aa3802
Opcode Fuzzy Hash: 2245f9beb25c84ca1d35476cff511405a5b9783a50840d6ac4f0ea65edb5f402
Instruction Fuzzy Hash: 4CD01235582632A7D7222B256C1ADCF6E1EBF85B7130A4516BD05F2114CF60CD018AD1

Function 005F2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005F2C05
DeleteFileW.KERNEL32(?), ref: 005F2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005F2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005F2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005F2CC0

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 42fff4bb71e179014fadbffb6c826c2d8f84285f841b3d24d6bb6ae1be416a62
Instruction ID: 03316afbfc9562149c57a1d120d77e5a9db2d110f14fd757a59f69ac109d6b5d
Opcode Fuzzy Hash: 42fff4bb71e179014fadbffb6c826c2d8f84285f841b3d24d6bb6ae1be416a62
Instruction Fuzzy Hash: 23B13FB190011EABDF11EBA4CC89EEE7F7DFF49350F1044A6FA09E6141EA359A448F61

Function 0060A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0060A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0060A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0060A468
CloseHandle.KERNEL32(?), ref: 0060A63D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: aa9169ab4d65a71f77908f43689710bef49097bb68022df8a35e9e207c0e3a0a
Instruction ID: 9a5fb9cff017a5ce74b080cbd12f6b0245ebdf5b7ebeb559a270c2d29b4f86c9
Opcode Fuzzy Hash: aa9169ab4d65a71f77908f43689710bef49097bb68022df8a35e9e207c0e3a0a
Instruction Fuzzy Hash: 2BA1A1716443019FE724DF24D886B2ABBE6BF84714F14881DF95A9B3D2D770EC418B91

Function 005BBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00623700), ref: 005BBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0065121C,000000FF,00000000,0000003F,00000000,?,?), ref: 005BBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00651270,000000FF,?,0000003F,00000000,?), ref: 005BBC36
_free.LIBCMT ref: 005BBB7F

Part of subcall function 005B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005BBD4B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 181acf421a12be80ee1abdd7995c0dea6e28c958ea457d47803c50f26552d4e7
Instruction ID: 95f48dab7cbfa68103e10b9c78daaa78f152a5ec33f3a787c3dc4bdf5de720ae
Opcode Fuzzy Hash: 181acf421a12be80ee1abdd7995c0dea6e28c958ea457d47803c50f26552d4e7
Instruction Fuzzy Hash: E151C87190020AEFEB10DF65DC45AEEBFB9FB81320F10466AE454D7191EBF0AE408B50

Function 005EE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005EDDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005ECF22,?), ref: 005EDDFD

Part of subcall function 005EDDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005ECF22,?), ref: 005EDE16

Part of subcall function 005EE199: GetFileAttributesW.KERNEL32(?,005ECF95), ref: 005EE19A

lstrcmpiW.KERNEL32(?,?), ref: 005EE473
MoveFileW.KERNEL32(?,?), ref: 005EE4AC
_wcslen.LIBCMT ref: 005EE5EB
_wcslen.LIBCMT ref: 005EE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 005EE650

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2c9ed8db5fba199d1255d50ac459d6555031cd310def6053076a83ee3b7957d3
Instruction ID: b880a034188fc6ed9d1bf27fb06ff32a123a8c0c06bd63aac9194963ad396bb1
Opcode Fuzzy Hash: 2c9ed8db5fba199d1255d50ac459d6555031cd310def6053076a83ee3b7957d3
Instruction Fuzzy Hash: 285182B24083855BC728EB90D8869DF7BEDBFC5340F00491EF5C9D3191EE75A5888B66

Function 0060B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 0060C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0060B6AE,?,?), ref: 0060C9B5
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060C9F1
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA68
Part of subcall function 0060C998: _wcslen.LIBCMT ref: 0060CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0060BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0060BB63
RegCloseKey.ADVAPI32(?,?), ref: 0060BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0060BBB3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 5212f6a034cd808bb5a95084720ee41cb7f1276eb19ffa9535b958ec37135440
Instruction ID: 40eee6cb6aa34eb821e5f752772f41be410856bafe8cb8d9e1221c130b42b220
Opcode Fuzzy Hash: 5212f6a034cd808bb5a95084720ee41cb7f1276eb19ffa9535b958ec37135440
Instruction Fuzzy Hash: B961B031208241AFD318DF14C494E6BBBE6FF84308F14995DF4998B2A2DB31ED45CB92

Function 005E8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005E8BCD
VariantClear.OLEAUT32 ref: 005E8C3E
VariantClear.OLEAUT32 ref: 005E8C9D
VariantClear.OLEAUT32(?), ref: 005E8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005E8D3B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 878a4bfc2372ddeb8ad68dfc9a4ccaa1683569443359b66fdfab98c0109c1631
Instruction ID: ccf1de3e433d3159a4f960e118805802b3e2429193f26846c6992333430b46f0
Opcode Fuzzy Hash: 878a4bfc2372ddeb8ad68dfc9a4ccaa1683569443359b66fdfab98c0109c1631
Instruction Fuzzy Hash: 2A5198B5A00219EFCB14CF29C884AAABBF9FF89310B158559F949DB350E730E911CF90

Function 005F8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005F8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 005F8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005F8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005F8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005F8C5F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 705f30377e334911b83e6855f91b6454f2b281ebae2db6fbe02a9dfbefabd0ba
Instruction ID: 4aff19aa5af4311e4aa321f4f779996de44d243c1858d6e1aaece624409f2a9f
Opcode Fuzzy Hash: 705f30377e334911b83e6855f91b6454f2b281ebae2db6fbe02a9dfbefabd0ba
Instruction Fuzzy Hash: 39515B35A00219DFCB04EF64C885AADBBF5FF48314F088459E949AB362DB35ED41CBA0

Function 00608EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00608F40
GetProcAddress.KERNEL32(00000000,?), ref: 00608FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00608FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00609032
FreeLibrary.KERNEL32(00000000), ref: 00609052

Part of subcall function 0059F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,005F1043,?,75C0E610), ref: 0059F6E6
Part of subcall function 0059F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,005DFA64,00000000,00000000,?,?,005F1043,?,75C0E610,?,005DFA64), ref: 0059F70D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 33ddee1fa223536dea63c34a05a3f8e86a9a27f887347bd198da60b66a301c92
Instruction ID: 779a7b89483dcb246a40b79569c243491dbf44cf6e9df1996b48bc27afaaf301
Opcode Fuzzy Hash: 33ddee1fa223536dea63c34a05a3f8e86a9a27f887347bd198da60b66a301c92
Instruction Fuzzy Hash: 99512D35644206DFC715EF64C4858EEBBB2FF89354F088099E846AB362DB31ED85CB90

Function 00616B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00616C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00616C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00616C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,005FAB79,00000000,00000000), ref: 00616C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00616CC7

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: df5c538a2ff2604ce3d8bcd4288c5b3d16f939753fef83a85af28027a9e65884
Instruction ID: f8b8bf17ec8b6d862695817faab74c3b9a9eacc7be3548962ffb04414b670af0
Opcode Fuzzy Hash: df5c538a2ff2604ce3d8bcd4288c5b3d16f939753fef83a85af28027a9e65884
Instruction Fuzzy Hash: 41419239604104AFD724CF28CC58FE97BA6EB09360F194269F995A73E0D371AD91CA90

Function 005B2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005B20C3
_free.LIBCMT ref: 005B20E3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: aecb030732eb3dbf0e472d58c2442e9bf7ad94d4c4af84da679b121b9ceffa3e
Instruction ID: b0ecafe299ee754b6606ff8c5aec606277a02de88ffd7e975e46177e9c59329c
Opcode Fuzzy Hash: aecb030732eb3dbf0e472d58c2442e9bf7ad94d4c4af84da679b121b9ceffa3e
Instruction Fuzzy Hash: CB41E232A00204AFCB20DF78C885A9DBBA5FF89714F158568E515EB352DB31BD01CBA0

Function 0059912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00599141
ScreenToClient.USER32(00000000,?), ref: 0059915E
GetAsyncKeyState.USER32(00000001), ref: 00599183
GetAsyncKeyState.USER32(00000002), ref: 0059919D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 3d94615346dd995dac9e37964e80af46cb041d909e442e2d349ecc0c75efb438
Instruction ID: d1a8edfb4a76e2235211a8ef4bbe6e662fe83a8a09436d6a641c7cf24435c557
Opcode Fuzzy Hash: 3d94615346dd995dac9e37964e80af46cb041d909e442e2d349ecc0c75efb438
Instruction Fuzzy Hash: 1941603190851BFBDF159FA8C848BEEBB75FB49324F24831AE425A32D0D7305990DB91

Function 005F3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 005F38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 005F3922
TranslateMessage.USER32(?), ref: 005F394B
DispatchMessageW.USER32(?), ref: 005F3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005F3966

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 8e37c2a912c91e595a4fc847a48b8f708d0f3e9a241401019fbb08f0f88a94bf
Instruction ID: 0a170c02279bfccc086fbcfc073d4b5237e748635ba5243d55637acddb56e02d
Opcode Fuzzy Hash: 8e37c2a912c91e595a4fc847a48b8f708d0f3e9a241401019fbb08f0f88a94bf
Instruction Fuzzy Hash: 1731E57094434A9EFB35CF34D958BB63FA9BB06341F04056EE662C61A0E3FC9A84CB11

Function 005FCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,005FC21E,00000000), ref: 005FCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 005FCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,005FC21E,00000000), ref: 005FCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,005FC21E,00000000), ref: 005FCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,005FC21E,00000000), ref: 005FCFF2

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 0f1edc6baf007c406b6e4d66a83a3f373dc633323bd3915d697814799a9675b8
Instruction ID: 759885c7ab38cc53cbf9a9dab64de91dadcb7727d7761e5d6ca5b7f3fee91974
Opcode Fuzzy Hash: 0f1edc6baf007c406b6e4d66a83a3f373dc633323bd3915d697814799a9675b8
Instruction Fuzzy Hash: CD313A7150420EAFDB20DFA5C984ABABFFAFB14354B14843EE616D2140DB34AE409B60

Function 005E1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005E1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 005E19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 005E19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 005E19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 005E19E2

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 1ef9f83cc883683d049f0bb99f8b406f40f520bd8d89c1c1c2d4855b2132419e
Instruction ID: 0f9c6e7c21f67eaa03912a9e5d1375265ecc56ccecf372b94a84109e6a43c85e
Opcode Fuzzy Hash: 1ef9f83cc883683d049f0bb99f8b406f40f520bd8d89c1c1c2d4855b2132419e
Instruction Fuzzy Hash: 4931B171900259EFCB04CFA9CD99ADE3BB6FB44325F108225F961E72D1C7709944DB94

Function 00615706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00615745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0061579D
_wcslen.LIBCMT ref: 006157AF
_wcslen.LIBCMT ref: 006157BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00615816

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 5a3b9cd4c544c64358b0e63c96112e77266ef32ea00aa57e14ce22761d33fd72
Instruction ID: cf703279cab56d354910e127d95ae05dc601ae6673f70d705d20e7ade134c349
Opcode Fuzzy Hash: 5a3b9cd4c544c64358b0e63c96112e77266ef32ea00aa57e14ce22761d33fd72
Instruction Fuzzy Hash: CC218971904618DADB209F64CC85AEDB7B9FF85724F148616E926DA2C0D77089C5CF50

Function 00600930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00600951
GetForegroundWindow.USER32 ref: 00600968
GetDC.USER32(00000000), ref: 006009A4
GetPixel.GDI32(00000000,?,00000003), ref: 006009B0
ReleaseDC.USER32(00000000,00000003), ref: 006009E8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 696788bea1efe3f1cd6616f83c4ce3aaf40f9ff388249c8ecec54bd7d9561cec
Instruction ID: 15128b4846177aa3062f53d66fd884ed617b5b8313e488ef0a0aa5b2e663e6d4
Opcode Fuzzy Hash: 696788bea1efe3f1cd6616f83c4ce3aaf40f9ff388249c8ecec54bd7d9561cec
Instruction Fuzzy Hash: 72218475640204AFE704EF65D949AAEBBE9FF84710F048069E94AA7352DB70AC04CB90

Function 005BCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005BCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005BCDE9

Part of subcall function 005B3820: RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005BCE0F
_free.LIBCMT ref: 005BCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005BCE31

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f0c0d8c1705287d05e56379c1a73403746a3b3bb75fac4a5f426f09213715b9f
Instruction ID: c770dbd277f8a34be6c03b9e4e47ccd1d214a3e4e788323ec5327598a0a302e8
Opcode Fuzzy Hash: f0c0d8c1705287d05e56379c1a73403746a3b3bb75fac4a5f426f09213715b9f
Instruction Fuzzy Hash: 4F01FC72601215BF632216766C4CCFF7D6DFEC6BA1315412AFD05DB100DA60DD0181B4

Function 00599639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00599693
SelectObject.GDI32(?,00000000), ref: 005996A2
BeginPath.GDI32(?), ref: 005996B9
SelectObject.GDI32(?,00000000), ref: 005996E2

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: a2205c76f39e39c3c4fc1cdac5925a06d05e6722287de01438ea2e17c0f2dad2
Instruction ID: 1c11e2f52a6d1c6538f3b993062514be7afe75c7e2421981459210a3fe8c8f8f
Opcode Fuzzy Hash: a2205c76f39e39c3c4fc1cdac5925a06d05e6722287de01438ea2e17c0f2dad2
Instruction Fuzzy Hash: F2214C70802309EBDF11DF68EC197ED3FAABB56366F14521BF411AA1A0D3709891CB94

Function 005E5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 005E5726
_memcmp.LIBVCRUNTIME ref: 005E5744
_memcmp.LIBVCRUNTIME ref: 005E5757
_memcmp.LIBVCRUNTIME ref: 005E576F
_memcmp.LIBVCRUNTIME ref: 005E5787

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e6b2652b91c96d41e2dcfd13b36af4df3cfea483c54b0bb43df7186a782e0ba6
Instruction ID: 10b90a2e465aad3ce16ff75b171c86309ae637e01915ed8998674dacefa90373
Opcode Fuzzy Hash: e6b2652b91c96d41e2dcfd13b36af4df3cfea483c54b0bb43df7186a782e0ba6
Instruction Fuzzy Hash: 9E01F5A2241A0AFBD60C96129D82FFF7B5DFB613DCF040421FE059A241F760ED6082E4

Function 005B2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,005AF2DE,005B3863,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6), ref: 005B2DFD
_free.LIBCMT ref: 005B2E32
_free.LIBCMT ref: 005B2E59
SetLastError.KERNEL32(00000000,00581129), ref: 005B2E66
SetLastError.KERNEL32(00000000,00581129), ref: 005B2E6F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: fb0981b901a0bf9b07ded3264d59ecf9023f3fc55e098c023e3186253f966346
Instruction ID: 889afd400a38d4e1f99a97b83e3cc80592b3810f63b88a4fe0a3a8e1aae81b69
Opcode Fuzzy Hash: fb0981b901a0bf9b07ded3264d59ecf9023f3fc55e098c023e3186253f966346
Instruction Fuzzy Hash: 7601F43624560167C713673A6C49DFF2E6EBBD53B1F258829F825A2292EE24EC014030

Function 005E000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?,?,005E035E), ref: 005E002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?), ref: 005E0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,005DFF41,80070057,?,?), ref: 005E0070

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b8286937635dd4db6a976d256e21057f6649b91bb44225114dd2db102ad82291
Instruction ID: 544d51d06445fffaf6805d263e3795f61ed43ae0b39cedd391300e8fb6bc1547
Opcode Fuzzy Hash: b8286937635dd4db6a976d256e21057f6649b91bb44225114dd2db102ad82291
Instruction Fuzzy Hash: BA01DF72600204BFDB109F6ADC48BAE7EAEFB44361F18A025F841D2250D7B0DD809BA0

Function 005EE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 005EE997
QueryPerformanceFrequency.KERNEL32(?), ref: 005EE9A5
Sleep.KERNEL32(00000000), ref: 005EE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 005EE9B7
Sleep.KERNEL32 ref: 005EE9F3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 5f12249a3a2fc5858ffadb8c459f2b03563bf160b1d4280bf77d593d06fe4469
Instruction ID: 799b183c4b657d1ca6dd4f48fa778cc7a6d1c3b5de06c6e7c59e22f2f7bf3724
Opcode Fuzzy Hash: 5f12249a3a2fc5858ffadb8c459f2b03563bf160b1d4280bf77d593d06fe4469
Instruction Fuzzy Hash: 20015731C51629EBCF04ABE6D84AAEDBBB9BB09310F044546E542F2242CB309650CBA1

Function 005E10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005E1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,005E0B9B,?,?,?), ref: 005E1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005E114D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 59d93266b52be2e62e3670c7b5a684ae1d63d42b3bda1162f684905ee7434682
Instruction ID: 55e08b6337bc73f726b849a1dce57cf9fdbbb250799c1e44589f03de3a5cc44a
Opcode Fuzzy Hash: 59d93266b52be2e62e3670c7b5a684ae1d63d42b3bda1162f684905ee7434682
Instruction Fuzzy Hash: 70016D79140705BFDB154F65DC49AAA3F6EFF85360B144415FA81C3350DA71DC00DA60

Function 005E0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005E0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005E0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005E0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005E0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005E1002

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f98a2b859f1ac1c632de08414ad5a9aab4e638e8ef2a9da4cd7b32594eb4da53
Instruction ID: d37a8042bebad6bd441b0207a209bb12cb19e469455aed7dc6c553e774958964
Opcode Fuzzy Hash: f98a2b859f1ac1c632de08414ad5a9aab4e638e8ef2a9da4cd7b32594eb4da53
Instruction Fuzzy Hash: 57F0AF39180741BBD7214FA5DC4DF9A3F6EFF89762F158415F945C6290DA31DC408A60

Function 005E1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005E102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005E1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005E1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005E104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005E1062

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d0614579ccc09c4e1edbb032c82ae9fba24517c8c7de96d0dc47ecb5048eaf5a
Instruction ID: 87b8395fc11c6b9b9c0d0001b0abe486b898adb3e2ae6043cd887206537eb336
Opcode Fuzzy Hash: d0614579ccc09c4e1edbb032c82ae9fba24517c8c7de96d0dc47ecb5048eaf5a
Instruction Fuzzy Hash: 74F0CD39280741FBDB215FA6EC4DF9A3FAEFF89761F154426FA45C7250CA31D8808A60

Function 005F030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F0324
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F0331
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F033E
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F034B
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F0358
CloseHandle.KERNEL32(?,?,?,?,005F017D,?,005F32FC,?,00000001,005C2592,?), ref: 005F0365

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 295604580c55f7d0ac86803ab912812443e5efa5512bdb14184813a85ce9fd3e
Instruction ID: df59b523a181f7b97fa4e2ff6f76ea3d8e6cf535080a567dfeeaee9080114130
Opcode Fuzzy Hash: 295604580c55f7d0ac86803ab912812443e5efa5512bdb14184813a85ce9fd3e
Instruction Fuzzy Hash: F101A272800B199FC7309F66D880826FBF5BF503153199E3FD296529B2C375A954CF80

Function 005BD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005BD752

Part of subcall function 005B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005BD764
_free.LIBCMT ref: 005BD776
_free.LIBCMT ref: 005BD788
_free.LIBCMT ref: 005BD79A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 13b32ca4313dd2806e4c26b5c03891813b0b911b0a3704061422b44a3e07f32f
Instruction ID: c4999b4d3f36843462e954dd218a7f5673f09ce711e2f1ea85f100ccaebf7d7b
Opcode Fuzzy Hash: 13b32ca4313dd2806e4c26b5c03891813b0b911b0a3704061422b44a3e07f32f
Instruction Fuzzy Hash: 0AF0C936545205BBC665EB64F9899D67FEAFB45720B941C05F04CD7601DA24F8808674

Function 005E5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005E5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 005E5C6F
MessageBeep.USER32(00000000), ref: 005E5C87
KillTimer.USER32(?,0000040A), ref: 005E5CA3
EndDialog.USER32(?,00000001), ref: 005E5CBD

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5c6a24e8e3508e260380f9053cd7ee8b561873f96d37b703ec3a00dbe34564a8
Instruction ID: ce82a9eef9d9bd2412ae91ae86879e8c4cb07c1f97718dec0f6d45bfc3d37759
Opcode Fuzzy Hash: 5c6a24e8e3508e260380f9053cd7ee8b561873f96d37b703ec3a00dbe34564a8
Instruction Fuzzy Hash: 4601F930540B04ABEB245B11DD5EFEA7BB9BF04B09F04155AB5C7A10E1EBF0AD84CB90

Function 005B22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005B22BE

Part of subcall function 005B29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000), ref: 005B29DE
Part of subcall function 005B29C8: GetLastError.KERNEL32(00000000,?,005BD7D1,00000000,00000000,00000000,00000000,?,005BD7F8,00000000,00000007,00000000,?,005BDBF5,00000000,00000000), ref: 005B29F0

_free.LIBCMT ref: 005B22D0
_free.LIBCMT ref: 005B22E3
_free.LIBCMT ref: 005B22F4
_free.LIBCMT ref: 005B2305

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1a6e59b7db16926035ebca4bd03e137450fe7be1ed8d0d1b1e025d398855e464
Instruction ID: 765f60382ef953bca31528d5c0bb9329ae15bbf024dc02dd6676222593c0a6ea
Opcode Fuzzy Hash: 1a6e59b7db16926035ebca4bd03e137450fe7be1ed8d0d1b1e025d398855e464
Instruction Fuzzy Hash: A2F030744013129BD752EF64BC059983F67B719762F012A06F81CD7371C73066919BB5

Function 005995C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005995D4
StrokeAndFillPath.GDI32(?,?,005D71F7,00000000,?,?,?), ref: 005995F0
SelectObject.GDI32(?,00000000), ref: 00599603
DeleteObject.GDI32 ref: 00599616
StrokePath.GDI32(?), ref: 00599631

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e219ee5f79f4b528f6b2f83e8225e74b52f9b5b669984f42be9fe72b07fec6df
Instruction ID: 489dccb64123c6afdc812f913f6f57491f7f3cf36b1fe0936a64beb8ce5fb517
Opcode Fuzzy Hash: e219ee5f79f4b528f6b2f83e8225e74b52f9b5b669984f42be9fe72b07fec6df
Instruction Fuzzy Hash: BDF01930045308EBDB129F69ED187A93F62BB06333F08A219F465990F0C7318991DFA4

Function 005B0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 005B10F9
__freea.LIBCMT ref: 005B1117

Part of subcall function 005B1537: _free.LIBCMT ref: 005B154F

Strings

am/pm, xrefs: 005B117A
a/p, xrefs: 005B11DE

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: bcf4559dd89d158c652b58fc7a6b20e170b64e5e5e24cccf86a97162b560cbb0
Instruction ID: 37c8fc4b40fe4188aed05b12142b62a6a883c59f53a4c5cd1f8bb8f57e152f83
Opcode Fuzzy Hash: bcf4559dd89d158c652b58fc7a6b20e170b64e5e5e24cccf86a97162b560cbb0
Instruction Fuzzy Hash: 50D1F535900A06CBDBA49F68C869BFEBFB1FF45300FA40959E5029B650E375BD80CB59

Function 006061D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 005A0242: EnterCriticalSection.KERNEL32(0065070C,00651884,?,?,0059198B,00652518,?,?,?,005812F9,00000000), ref: 005A024D
Part of subcall function 005A0242: LeaveCriticalSection.KERNEL32(0065070C,?,0059198B,00652518,?,?,?,005812F9,00000000), ref: 005A028A

Part of subcall function 005A00A3: __onexit.LIBCMT ref: 005A00A9

__Init_thread_footer.LIBCMT ref: 00606238

Part of subcall function 005A01F8: EnterCriticalSection.KERNEL32(0065070C,?,?,00598747,00652514), ref: 005A0202
Part of subcall function 005A01F8: LeaveCriticalSection.KERNEL32(0065070C,?,00598747,00652514), ref: 005A0235

Part of subcall function 005F359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 005F35E4
Part of subcall function 005F359C: LoadStringW.USER32(00652390,?,00000FFF,?), ref: 005F360A

Strings

x#e, xrefs: 0060633A
x#e, xrefs: 0060636F
x#e, xrefs: 00606353

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#e$x#e$x#e
API String ID: 1072379062-426434576
Opcode ID: 2b4e2571aa689573e8632f9e0094965c3d6d9af8d13f3fe8ed0b4417c524f8fc
Instruction ID: 314903cdf56788e6c3422317b0e4a21fefddf9b0b2cc02b766bbc5b6106fc1d8
Opcode Fuzzy Hash: 2b4e2571aa689573e8632f9e0094965c3d6d9af8d13f3fe8ed0b4417c524f8fc
Instruction Fuzzy Hash: B2C18E71A40106AFDB18DF58C895EBEBBBAFF49300F148069F905AB291DB70ED55CB90

Function 005B5AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOX, xrefs: 005B5BA8, 005B5C6C

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: JOX
API String ID: 0-2417842952
Opcode ID: 39b2d5d75964c783a7ba7eb486c411a2ce626535755f38a47118e31ce350cf69
Instruction ID: d6d11c897eca9850f2c44474656a23a482d67d99fda689edf392c8c1d6f7fb4f
Opcode Fuzzy Hash: 39b2d5d75964c783a7ba7eb486c411a2ce626535755f38a47118e31ce350cf69
Instruction Fuzzy Hash: FA519075D0060A9FDB29AFA4C849FEEBFB9FF45310F140459F405A7292E771AE018B61

Function 005B8A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 005B8B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 005B8B7A
__dosmaperr.LIBCMT ref: 005B8B81

Strings

.Z, xrefs: 005B8A63

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .Z
API String ID: 2434981716-572057124
Opcode ID: 93be402df1fb2c51bb022c3c1e27016671aa605bf9ab7ea5e6b2d90e82c5d472
Instruction ID: 5c14c94a044e1c9edec29e97460b569d58eeaf23cfca8792a7bf1da284f4b41a
Opcode Fuzzy Hash: 93be402df1fb2c51bb022c3c1e27016671aa605bf9ab7ea5e6b2d90e82c5d472
Instruction Fuzzy Hash: 31416B70604145AFDB249F24DC91AFD7FAAFB85314F28A599E84587242DE31EC02D750

Function 005E2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005EB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005E21D0,?,?,00000034,00000800,?,00000034), ref: 005EB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005E2760

Part of subcall function 005EB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005E21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 005EB3F8

Part of subcall function 005EB32A: GetWindowThreadProcessId.USER32(?,?), ref: 005EB355
Part of subcall function 005EB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005E2194,00000034,?,?,00001004,00000000,00000000), ref: 005EB365
Part of subcall function 005EB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005E2194,00000034,?,?,00001004,00000000,00000000), ref: 005EB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005E27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005E281A

Strings

@, xrefs: 005E2832

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: a96e8d7ef954b34a0776a2bdc1c07f95d71b7ff4b2b7a447f73065c797803813
Instruction ID: c68494e4d9bc6e54f7e1b7eb1379702a274da687c97c5fd876ff12f9c3cee139
Opcode Fuzzy Hash: a96e8d7ef954b34a0776a2bdc1c07f95d71b7ff4b2b7a447f73065c797803813
Instruction Fuzzy Hash: 07414E72900219AFDB14DFA5CD46AEEBBB8FF49300F104059FA95B7181DB706E45CBA1

Function 005B172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 005B1769
_free.LIBCMT ref: 005B1834
_free.LIBCMT ref: 005B183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 005B1760, 005B1767, 005B1796, 005B17CE

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: d1f0b54e93e1a528362f87a377e6bb6153e93e9f0e96d8e36d2d837bfd71e350
Instruction ID: 3087a3f1d405bda47c17a4cf8b06b9fd80e8e0f9483a2446267653565bdabb24
Opcode Fuzzy Hash: d1f0b54e93e1a528362f87a377e6bb6153e93e9f0e96d8e36d2d837bfd71e350
Instruction Fuzzy Hash: 1A31AE71A00609ABDB61DF999C85DEEBFFDFB85310F504166F804DB211DA70AE80CBA4

Function 005EC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005EC306
DeleteMenu.USER32(?,00000007,00000000), ref: 005EC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00651990,01385138), ref: 005EC395

Strings

0, xrefs: 005EC2DF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 995c9453c02c33026440996aab638056b518bfc5921d57d1d6d24e001eaf0d3f
Instruction ID: 136d7a53cf1b80d918891fe73cf089572584a3cdaa6f5e6092a1471f801afbe1
Opcode Fuzzy Hash: 995c9453c02c33026440996aab638056b518bfc5921d57d1d6d24e001eaf0d3f
Instruction Fuzzy Hash: DB4181312043829FD728DF26D845F5ABFE4BB89320F148A5EF9A5972D1D730E905CB62

Function 00614416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0061CC08,00000000,?,?,?,?), ref: 006144AA
GetWindowLongW.USER32 ref: 006144C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 006144D7

Strings

SysTreeView32, xrefs: 0061447C

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 4104da12d028ff3002f8889672e28e79c907f642dc299afdce5a26b3425316b5
Instruction ID: 34c5601596c2da8b12c8330cf5f5dc132e73338fc8de96e9c467a77f13a671fa
Opcode Fuzzy Hash: 4104da12d028ff3002f8889672e28e79c907f642dc299afdce5a26b3425316b5
Instruction Fuzzy Hash: B8317E71210605AFDB209E38DC45BEA7BAAEB48334F284715F975D32D0DB70AC919750

Function 005E6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 005E6EED
VariantCopyInd.OLEAUT32(?,?), ref: 005E6F08
VariantClear.OLEAUT32(?), ref: 005E6F12

Strings

*j^, xrefs: 005E6E8B, 005E6E90, 005E6EF8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *j^
API String ID: 2173805711-3646612986
Opcode ID: c101e4549d0db77fb922999c5db8b4b2d992c35e66ed9792da0a1d28ff8bb3cd
Instruction ID: eeba85318ef57b711e4d9edef917438bcd2b7d47f2c1ef906e73679ba01322dc
Opcode Fuzzy Hash: c101e4549d0db77fb922999c5db8b4b2d992c35e66ed9792da0a1d28ff8bb3cd
Instruction Fuzzy Hash: 5131E471604286DFDB08BF65E8548BD3FB6FFA5380B100899F8625B2A1DB309951DBE0

Function 0060304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0060335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00603077,?,?), ref: 00603378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0060307A
_wcslen.LIBCMT ref: 0060309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00603106

Strings

255.255.255.255, xrefs: 00603095, 0060309A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 10c17623e7e4f7bc02ce7ee8185214da7a72460c235da532563deec0976fd246
Instruction ID: d15939bed93c34397f6317546dc680c5bfcde1f11262f2478e4c33aef2c180ca
Opcode Fuzzy Hash: 10c17623e7e4f7bc02ce7ee8185214da7a72460c235da532563deec0976fd246
Instruction Fuzzy Hash: 6531F5352002119FC718CF28C585EAB7BEAEF55319F248099E8168B3D2D732DE41C760

Function 00614653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00614705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00614713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0061471A

Strings

msctls_updown32, xrefs: 00614684

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 3c038e1ba1e1f961d851a0d52d08f4d8b92c38966c79153359548abe1fcb008c
Instruction ID: 8a57a9c3cba967d190b7eb2a2c3d1f5bbbc5309f40f0ce8b1dfc38c63f7ecdf7
Opcode Fuzzy Hash: 3c038e1ba1e1f961d851a0d52d08f4d8b92c38966c79153359548abe1fcb008c
Instruction Fuzzy Hash: 1D215EB5600209AFDB10DF64DC95DEB37AEEB8A7A4B080059FA009B391CB70EC51CA60

Function 005E95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005E961D

Strings

#requireadmin, xrefs: 005E95D9
#notrayicon, xrefs: 005E95B7
#OnAutoItStartRegister, xrefs: 005E95F3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: a8353a61ceb0ccaf8719f87bf43a3ffb4fe0d9662098327f75664014da9ac71d
Instruction ID: 40cd049797eee570b28d106490005003b3d1b0b7a7f59e0329b22be26d3996bd
Opcode Fuzzy Hash: a8353a61ceb0ccaf8719f87bf43a3ffb4fe0d9662098327f75664014da9ac71d
Instruction Fuzzy Hash: 19213872204692A6C735AB269C06FBB7BACBFD5300F144827F9C997041EB919D81C3D5

Function 006137B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00613840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00613850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00613876

Strings

Listbox, xrefs: 0061380F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 85b573490bf56663013bb8b831bc828608d7cd48393cdb5eddfd27a545fb805f
Instruction ID: 8c86e11f794f8fba024b812406c2685f1510d36fbbe4f7194231b3390c01ec2c
Opcode Fuzzy Hash: 85b573490bf56663013bb8b831bc828608d7cd48393cdb5eddfd27a545fb805f
Instruction Fuzzy Hash: 3921AF72610228BBEF218F64CC45EEB376BEF89760F148124F9019B290C6719C9287A0

Function 005F49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005F4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005F4A5C
SetErrorMode.KERNEL32(00000000,?,?,0061CC08), ref: 005F4AD0

Strings

%lu, xrefs: 005F4A6F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e9110343f81823d7bb376571634a3884dc1a32fe2fe74a0655555126be61508d
Instruction ID: 4cf54581ed94552cadfbee640ee6a3cd6d0c8db3d1d6266a7b0662dc7e734988
Opcode Fuzzy Hash: e9110343f81823d7bb376571634a3884dc1a32fe2fe74a0655555126be61508d
Instruction Fuzzy Hash: 38317F70A40109AFDB10EF54C885EAE7BF9FF48304F188099E905EB252D775ED45CB61

Function 005E2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

Part of subcall function 005E2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005E2DC5
Part of subcall function 005E2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 005E2DD6
Part of subcall function 005E2DA7: GetCurrentThreadId.KERNEL32 ref: 005E2DDD
Part of subcall function 005E2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005E2DE4

GetFocus.USER32 ref: 005E2F78

Part of subcall function 005E2DEE: GetParent.USER32(00000000), ref: 005E2DF9

GetClassNameW.USER32(?,?,00000100), ref: 005E2FC3
EnumChildWindows.USER32(?,005E303B), ref: 005E2FEB

Strings

%s%d, xrefs: 005E2FFF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 2688ece5cba0769619ee2eeee1436503f860d9829352f3fd3d9c83b0bbd6f124
Instruction ID: ba59a6e9f5834578a0233e0c7bea314d00025499e9ec9592ae492f3f90e43047
Opcode Fuzzy Hash: 2688ece5cba0769619ee2eeee1436503f860d9829352f3fd3d9c83b0bbd6f124
Instruction Fuzzy Hash: 2C11B7756002466BCF187F718C8DEED3B6ABFD4314F049075FE499B152DE3059459B60

Function 00615882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006158C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006158EE
DrawMenuBar.USER32(?), ref: 006158FD

Strings

0, xrefs: 0061588F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: da001a117123b12e6598fc462349e9e53d9b333aae309cbcdb96337ea6199fe7
Instruction ID: f64261224476aae8726d771ab6f4acaa40b6a5cbd52af9c1bcfe349feb65840e
Opcode Fuzzy Hash: da001a117123b12e6598fc462349e9e53d9b333aae309cbcdb96337ea6199fe7
Instruction Fuzzy Hash: C8018431500258EFDB519F11DC44BEEBBBAFF85360F18849AE849D6251DB308AD4DF21

Function 005DD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 005DD3BF
FreeLibrary.KERNEL32 ref: 005DD3E5

Strings

X64, xrefs: 005DD2A8
GetSystemWow64DirectoryW, xrefs: 005DD3B9

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 1e7f61ed0fc89091786e16d3c166403aa9265f8b6fbf16ae1b7467d474df883a
Instruction ID: e6a1109d5331c5a736adcc8edb5bc62609d5ddb42c08b8e63e01d99a1789827e
Opcode Fuzzy Hash: 1e7f61ed0fc89091786e16d3c166403aa9265f8b6fbf16ae1b7467d474df883a
Instruction Fuzzy Hash: 83F055258C2621EBC7714A188C28EAD3F32BF01701BAD9817E802E5304D720CC8482B2

Function 005E007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b64deac0194f6197ea719cb482e14e717161823f34459efd9576b167028b00f2
Instruction ID: 15620ed257ce41d668924a4740713ef4027e4a4029efa946ecd9e91fa9474518
Opcode Fuzzy Hash: b64deac0194f6197ea719cb482e14e717161823f34459efd9576b167028b00f2
Instruction Fuzzy Hash: 9FC18D75A00246EFCB18CFA5C894EAEBBB5FF48314F209598E545EB291C771DD81CB90

Function 0060342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00603459
CoUninitialize.OLE32 ref: 00603463
VariantInit.OLEAUT32(?), ref: 0060346E
VariantClear.OLEAUT32(?), ref: 0060371B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 92dc468198815cf62b76ffc306a684dc03185225b04e2a72e7b537ff4cac08b6
Instruction ID: 7335da8b68ea3933f409422cea0910ed23ffdbafab7147d47be04a8a625b8d6e
Opcode Fuzzy Hash: 92dc468198815cf62b76ffc306a684dc03185225b04e2a72e7b537ff4cac08b6
Instruction Fuzzy Hash: 71A16D752043119FC704EF28C489A6ABBE9FF8C715F148859F989AB3A2DB31ED01CB51

Function 005E0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0061FC08,?), ref: 005E05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0061FC08,?), ref: 005E0608
CLSIDFromProgID.OLE32(?,?,00000000,0061CC40,000000FF,?,00000000,00000800,00000000,?,0061FC08,?), ref: 005E062D
_memcmp.LIBVCRUNTIME ref: 005E064E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: ee8c2d63b34ade15343acf86e46b931da9a2778521ec0aa8b0ab07bef8e66ab1
Instruction ID: 8b3768ba8599fc3515bd63aa929e9cb08425ba6c1a9755ec814fe3d6ba4e018b
Opcode Fuzzy Hash: ee8c2d63b34ade15343acf86e46b931da9a2778521ec0aa8b0ab07bef8e66ab1
Instruction Fuzzy Hash: 38813C71A00109EFCB04DF94C984EEEBBB9FF89315F204559E546AB290DB71AE46CF60

Function 0060A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0060A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0060A6BA

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Process32NextW.KERNEL32(00000000,?), ref: 0060A79C
CloseHandle.KERNEL32(00000000), ref: 0060A7AB

Part of subcall function 0059CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,005C3303,?), ref: 0059CE8A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 0c935b96964d979c9273ddc0ce13c83a7263e5e37ca0209b36657cd2cc605632
Instruction ID: 8c0b3bfa15406804a5fb84f1593fe1924ff4c6e053659d1901529f20e85bfe7e
Opcode Fuzzy Hash: 0c935b96964d979c9273ddc0ce13c83a7263e5e37ca0209b36657cd2cc605632
Instruction Fuzzy Hash: 8C516E71548301AFD714EF24C88AA6BBBE9FFC9754F00891DF985A7291EB30D904CB92

Function 005C1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005C14C0

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 822a87bcc6dbfce523f2b32c4652aa97188a4000abeeb21f5757497779590e71
Instruction ID: e1306178289038d84b880ff01a53b90e70648f026776a19bee9abbf05c57a545
Opcode Fuzzy Hash: 822a87bcc6dbfce523f2b32c4652aa97188a4000abeeb21f5757497779590e71
Instruction Fuzzy Hash: 5B412735900902AEDF296AF88C89FAE3EA5FF83370F244629F419D6293F63448415775

Function 00616278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006162E2
ScreenToClient.USER32(?,?), ref: 00616315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00616382

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 664c8a50f28365d42ff403788347b72001b8f27606cf719c5c8575d13b243dd8
Instruction ID: 006f47a2f9a5aaf18b66bf4e2fab7c2f5cff4be84413cefa900a15807c8074e8
Opcode Fuzzy Hash: 664c8a50f28365d42ff403788347b72001b8f27606cf719c5c8575d13b243dd8
Instruction Fuzzy Hash: CC51FA78A00209EFDB10DF64D881AEE7BB6EF55360F149159F9259B2A0D770AD81CB90

Function 00601AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00601AFD
WSAGetLastError.WSOCK32 ref: 00601B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00601B8A
WSAGetLastError.WSOCK32 ref: 00601B94

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 864c0e0ec45298c187b12967e7b4e39af71b269c02e7f7ee69a3093a5b11fb7c
Instruction ID: a460442eacc9e39d223a4de82b5717bbe0966eeb000483625bc563c7486e4b81
Opcode Fuzzy Hash: 864c0e0ec45298c187b12967e7b4e39af71b269c02e7f7ee69a3093a5b11fb7c
Instruction Fuzzy Hash: 8B41C734640201AFEB24AF24C88AF6A7BE5AF85718F54C448FA1A9F7D2D771DD41CB90

Function 005BB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2202cf70d63fc7e92302dbb4ea97ee48eaa16320579c6b4e4dddcab1af17edf
Instruction ID: a2b88a7429f0376ba92ebcb67e43934a3e434c35b65ce7f573918eb700bc9397
Opcode Fuzzy Hash: c2202cf70d63fc7e92302dbb4ea97ee48eaa16320579c6b4e4dddcab1af17edf
Instruction Fuzzy Hash: 2241F875A00705AFE7249F78CC45BAA7FAAFBC5710F10452EF145DB282D7F1A9018790

Function 005F56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005F5783
GetLastError.KERNEL32(?,00000000), ref: 005F57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005F57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005F57FA

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6f0e10a0d48f33a221c1f4395fb74c9739188c8cdeef58ca5fbd2ba87d9ac06f
Instruction ID: f9d2f6b2cd85786ea5b985abf2601d155b540104157ad9fe46250f7bef2bd562
Opcode Fuzzy Hash: 6f0e10a0d48f33a221c1f4395fb74c9739188c8cdeef58ca5fbd2ba87d9ac06f
Instruction Fuzzy Hash: 2B410739600615DFCB11EF15C448A5EBFE2BF89720B188488ED5AAB362DB34FD40CB91

Function 005BD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,005A6D71,00000000,00000000,005A82D9,?,005A82D9,?,00000001,005A6D71,?,00000001,005A82D9,005A82D9), ref: 005BD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005BD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 005BD9AB
__freea.LIBCMT ref: 005BD9B4

Part of subcall function 005B3820: RtlAllocateHeap.NTDLL(00000000,?,00651444,?,0059FDF5,?,?,0058A976,00000010,00651440,005813FC,?,005813C6,?,00581129), ref: 005B3852

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0a4f2eab0eb77fe70b3fcbfab96cddcb6c8313b67c93cdfbb9f452b3870ee3cc
Instruction ID: 949fcb46113447cc067eaee2d2c5e0ca0cd1c6121e137e0020054ea850dda301
Opcode Fuzzy Hash: 0a4f2eab0eb77fe70b3fcbfab96cddcb6c8313b67c93cdfbb9f452b3870ee3cc
Instruction Fuzzy Hash: 2C319A72A0020AABDB249F64DC45EEE7FB5FB81750F094169FC0496290EB35ED50CBA0

Function 006152C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00615352
GetWindowLongW.USER32(?,000000F0), ref: 00615375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00615382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006153A8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f1334a510dc0e90495f12c9d7ce7e618b79f198bc39dbfc1554d0aad83c2661b
Instruction ID: e106b9c78bcab8152b5a5108f7d359438bfbca9fd7ecf74356d8b2aad9447905
Opcode Fuzzy Hash: f1334a510dc0e90495f12c9d7ce7e618b79f198bc39dbfc1554d0aad83c2661b
Instruction Fuzzy Hash: 8831C634A55A08EFEF349F14CC15BE8B767AB85390F5C5102FA22972E1E7B49DC0A781

Function 005EAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 005EABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 005EAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 005EAC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 005EACC6

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: b73ae6c7ad8746a221e8d11696f77fe4729373394ada594c058c833af57cd280
Instruction ID: c31a574c5f9fc961be775b501637899ac96fda14e7d8d62d6fb3427336d3a089
Opcode Fuzzy Hash: b73ae6c7ad8746a221e8d11696f77fe4729373394ada594c058c833af57cd280
Instruction Fuzzy Hash: 8B311A30940398AFFF398B7688047FE7F657B85310F28461AF4C9521D0C374AD858752

Function 00617674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0061769A
GetWindowRect.USER32(?,?), ref: 00617710
PtInRect.USER32(?,?,00618B89), ref: 00617720
MessageBeep.USER32(00000000), ref: 0061778C

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1e2fca010f93fffcebb647e8ba04a2ef069dee225d1f788b6ddbb87f7a52afe9
Instruction ID: 3f33346f7197df754f9d30258b45f5a37b74cd7c335005c2adf6fdf3e051c81c
Opcode Fuzzy Hash: 1e2fca010f93fffcebb647e8ba04a2ef069dee225d1f788b6ddbb87f7a52afe9
Instruction Fuzzy Hash: 33415874A092149FCB11CF58D894EE9BBF7BB49315F1D81A9E8149B3A1C731A982CB90

Function 006116DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006116EB

Part of subcall function 005E3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005E3A57
Part of subcall function 005E3A3D: GetCurrentThreadId.KERNEL32 ref: 005E3A5E
Part of subcall function 005E3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,005E25B3), ref: 005E3A65

GetCaretPos.USER32(?), ref: 006116FF
ClientToScreen.USER32(00000000,?), ref: 0061174C
GetForegroundWindow.USER32 ref: 00611752

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ed2f0e67687cac51046eaa71fc4e3fc9f09039f0628711008c12b77547ccde0b
Instruction ID: bd6d52c1f00c00e5f228701749d47bfa5fcb981c10e1ca944ce30dcdb1ce228d
Opcode Fuzzy Hash: ed2f0e67687cac51046eaa71fc4e3fc9f09039f0628711008c12b77547ccde0b
Instruction Fuzzy Hash: BB315D71E00149AFDB04EFA9C885CEEBBF9FF88304B5480AAE515E7351D6319E45CBA0

Function 00618FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

GetCursorPos.USER32(?), ref: 00619001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005D7711,?,?,?,?,?), ref: 00619016
GetCursorPos.USER32(?), ref: 0061905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005D7711,?,?,?), ref: 00619094

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4461053b5383b3694e2c2f42a56e6c1286afb8af89096c07c72f3b9b8f557fc2
Instruction ID: 188dd7eede6572ec7a0c400de58a1f507123e850eb1027d6e10e59d66f634e30
Opcode Fuzzy Hash: 4461053b5383b3694e2c2f42a56e6c1286afb8af89096c07c72f3b9b8f557fc2
Instruction Fuzzy Hash: 2E217435600114EFDB15CF54CC68EEA7BBBEB4A361F184059F5054B261C7319D90EB60

Function 005ED2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0061CB68), ref: 005ED2FB
GetLastError.KERNEL32 ref: 005ED30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 005ED319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0061CB68), ref: 005ED376

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: b5ced766602435b6a9099dcc773de59947a16b10456fc9b0abc306e72f58a5c4
Instruction ID: 44a10eeabecbdad8835f2ce6a46ae080bdef6fe34c35886b23ee89506bc08f87
Opcode Fuzzy Hash: b5ced766602435b6a9099dcc773de59947a16b10456fc9b0abc306e72f58a5c4
Instruction Fuzzy Hash: CF217E745082429FC314EF25C8854AEBBF4BE99324F144E1AF899D72A1D7309A45CBA3

Function 005E1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005E102A
Part of subcall function 005E1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005E1036
Part of subcall function 005E1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005E1045
Part of subcall function 005E1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005E104C
Part of subcall function 005E1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005E1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005E15BE
_memcmp.LIBVCRUNTIME ref: 005E15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005E1617
HeapFree.KERNEL32(00000000), ref: 005E161E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 62a7181844c2a10e4e5177df317ddf3a27b7d92b74d140d34ad0153aa9d695a4
Instruction ID: 151d434939ce63e2c97aad6f69b3430b49282f18ac0b3e66e285f5169c2ff288
Opcode Fuzzy Hash: 62a7181844c2a10e4e5177df317ddf3a27b7d92b74d140d34ad0153aa9d695a4
Instruction Fuzzy Hash: A121B031E40609EFDF04DFA5C949BEEBBB9FF44354F088459E485AB241D730AA04CB94

Function 00612782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0061280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00612824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00612832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00612840

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 10d912f3b97437eb59a207af1b2721419fa2da3fa304d54c1300ed19bcaf0ec3
Instruction ID: 1cb7d1095b753ea64553c6888ff4f4bcf7738032170d6a2b26a26941357c4f90
Opcode Fuzzy Hash: 10d912f3b97437eb59a207af1b2721419fa2da3fa304d54c1300ed19bcaf0ec3
Instruction Fuzzy Hash: E521A131204512AFD7149B24C855FEA7B9BAF85328F188159F826CB6E2C771FC92C7D0

Function 005E78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005E8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,005E790A,?,000000FF,?,005E8754,00000000,?,0000001C,?,?), ref: 005E8D8C
Part of subcall function 005E8D7D: lstrcpyW.KERNEL32(00000000,?,?,005E790A,?,000000FF,?,005E8754,00000000,?,0000001C,?,?,00000000), ref: 005E8DB2
Part of subcall function 005E8D7D: lstrcmpiW.KERNEL32(00000000,?,005E790A,?,000000FF,?,005E8754,00000000,?,0000001C,?,?), ref: 005E8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,005E8754,00000000,?,0000001C,?,?,00000000), ref: 005E7923
lstrcpyW.KERNEL32(00000000,?,?,005E8754,00000000,?,0000001C,?,?,00000000), ref: 005E7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,005E8754,00000000,?,0000001C,?,?,00000000), ref: 005E7984

Strings

cdecl, xrefs: 005E797B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 002e01d59757e100ac98a03b1d315dcf10f275a8e14210ba14c4a7b0347eb9ad
Instruction ID: a1e5abd3a2a8273cfafdfc7b4d80fa33d9d22d735e7c23f9d5bda17cf377f988
Opcode Fuzzy Hash: 002e01d59757e100ac98a03b1d315dcf10f275a8e14210ba14c4a7b0347eb9ad
Instruction Fuzzy Hash: A411E93A200786ABCB195F35DC45E7A7BA9FF89350B50802AF986C7365EB319811C791

Function 00617CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00617D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00617D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00617D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005FB7AD,00000000), ref: 00617D6B

Part of subcall function 00599BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00599BB2

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: d222301d6825b917013eea367d813c9a494b2b2f56739fb9c857466502544d17
Instruction ID: 7f0fb70dfd3c19db1e17da102d7626a2d39767f53c4eae5cdb4cab7e0c795497
Opcode Fuzzy Hash: d222301d6825b917013eea367d813c9a494b2b2f56739fb9c857466502544d17
Instruction Fuzzy Hash: C7119031605619AFCB109F28DC04AEA3BA7AF46375F198725F835CB2F0D73099A1CB90

Function 00615660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 006156BB
_wcslen.LIBCMT ref: 006156CD
_wcslen.LIBCMT ref: 006156D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00615816

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 8e29507358fb18d3afe586d267a60e95a9d30660cce1806faaa28d27b5a92a9c
Instruction ID: 4a930c09b15fd45f7e65cdbc2d5ea153e403cf4b8155ce941b9404bb19a0a85b
Opcode Fuzzy Hash: 8e29507358fb18d3afe586d267a60e95a9d30660cce1806faaa28d27b5a92a9c
Instruction Fuzzy Hash: 9511E131600608DADF209FA1CC85AEEB7BDAF91364F184426F916D6181E7708AC0CBA0

Function 005B1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956dc41c337904affee6980f0ff889ceb14893fc0acd1fd15cb658f267a569a3
Instruction ID: b8e8f7a31b1b4137765065cba8591bc2e46a156863f085c9155b7b39916cf091
Opcode Fuzzy Hash: 956dc41c337904affee6980f0ff889ceb14893fc0acd1fd15cb658f267a569a3
Instruction Fuzzy Hash: 9E01DFB2205A067EF76116786CD1FA72E1DFF813B8F741725F520511D2DB20AC0041B4

Function 005E1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 005E1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005E1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005E1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005E1A8A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 29cc18b08b3516137bc07e0484dbd9c75b964dfb2c52aeae7fa6b0570ea51f94
Instruction ID: b838f37ed914b4479f6ab68ac24e3c0b94c477f842f5c3ce4109e231972f8c11
Opcode Fuzzy Hash: 29cc18b08b3516137bc07e0484dbd9c75b964dfb2c52aeae7fa6b0570ea51f94
Instruction Fuzzy Hash: C1113C3AD01219FFEB10DBA5CD85FADBB78FB04750F2000A1E601B7290D6716E50DB94

Function 005EE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005EE1FD
MessageBoxW.USER32(?,?,?,?), ref: 005EE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005EE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005EE24D

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 7a2672b6b6542dce7225682cd6670c61a3bda6535d606b30dd4646a55e0e48df
Instruction ID: bf64ffadc2c10fc2798c7a9c60d4c7bb37ffcbb3035f4aca7ad927ea40aa727c
Opcode Fuzzy Hash: 7a2672b6b6542dce7225682cd6670c61a3bda6535d606b30dd4646a55e0e48df
Instruction Fuzzy Hash: ED112B7AD04394BBC705DFA89C1ABDE7FAEAB46321F048216F924D3290D6B0CD0487A0

Function 005AD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,005ACFF9,00000000,00000004,00000000), ref: 005AD218
GetLastError.KERNEL32 ref: 005AD224
__dosmaperr.LIBCMT ref: 005AD22B
ResumeThread.KERNEL32(00000000), ref: 005AD249

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: a5c358d3c1ed4bb085028fc2e21a9ac76b2c8c950985589141cd22536ac8ff7d
Instruction ID: 94b86c2041c721b159a1692295751d21dd070ff7b2a0f9ba47d134bb537af9ee
Opcode Fuzzy Hash: a5c358d3c1ed4bb085028fc2e21a9ac76b2c8c950985589141cd22536ac8ff7d
Instruction Fuzzy Hash: A201C07A845205BBCB217BA5DC09BAE7E79FFC3330F104229F926925D0DB708901C6B0

Function 0058600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0058604C
GetStockObject.GDI32(00000011), ref: 00586060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0058606A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: d98b6f8203474c7a6d0e9eb1a8f0a938122f263840202287f5f201ea1cfd67e4
Instruction ID: 4c3f8bf1a9b51580ea73ed12dd2d0c10bb85f1c43b10f5f0cf0965c5335d930c
Opcode Fuzzy Hash: d98b6f8203474c7a6d0e9eb1a8f0a938122f263840202287f5f201ea1cfd67e4
Instruction Fuzzy Hash: 7211AD72101508FFEF129FA48C58EEABF6AFF083A4F045206FE0462110C7329C60DBA1

Function 005A3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 005A3B56

Part of subcall function 005A3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 005A3AD2
Part of subcall function 005A3AA3: ___AdjustPointer.LIBCMT ref: 005A3AED

_UnwindNestedFrames.LIBCMT ref: 005A3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 005A3B7C
CallCatchBlock.LIBVCRUNTIME ref: 005A3BA4

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 8eafd17f77e247d3729621d4c0c85d79ade99dcc9fb5c1332d991a4fdae9d3b4
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 8B01293210014ABBDF125E95DC4AEEF7F6AFF8A758F044014FE4856121C772E961DBA0

Function 005B3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,005813C6,00000000,00000000,?,005B301A,005813C6,00000000,00000000,00000000,?,005B328B,00000006,FlsSetValue), ref: 005B30A5
GetLastError.KERNEL32(?,005B301A,005813C6,00000000,00000000,00000000,?,005B328B,00000006,FlsSetValue,00622290,FlsSetValue,00000000,00000364,?,005B2E46), ref: 005B30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,005B301A,005813C6,00000000,00000000,00000000,?,005B328B,00000006,FlsSetValue,00622290,FlsSetValue,00000000), ref: 005B30BF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 47fc601212e2342df1cc719877b39879ae20f80aca71134739f0a0aa70a79da8
Instruction ID: ead6b4269cac03d668f329894d4c1a3665fb3c51d2fa6c4a38f41886149f2775
Opcode Fuzzy Hash: 47fc601212e2342df1cc719877b39879ae20f80aca71134739f0a0aa70a79da8
Instruction Fuzzy Hash: 5901243674522AABCB309B78AC489DB7F99BF05B71B244620FD06F3140CB21EA01C6E0

Function 005E7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 005E747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005E7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005E74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005E74CA

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 4006f8e1daa7a04de04639c74768a357d4fee45297ed890eb0a5b69bcb21873e
Instruction ID: 2c235009066a19aa10bc72c513480be6266b071533d388497d68a08b1a117114
Opcode Fuzzy Hash: 4006f8e1daa7a04de04639c74768a357d4fee45297ed890eb0a5b69bcb21873e
Instruction Fuzzy Hash: 171104B1249358AFEB24CF15DC08F967FFCFB04B10F10846AA6A6D6091D770E904DB50

Function 005EB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005EACD3,?,00008000), ref: 005EB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005EACD3,?,00008000), ref: 005EB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,005EACD3,?,00008000), ref: 005EB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,005EACD3,?,00008000), ref: 005EB126

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 03748ec61124c5a65a520c9ea28b533d7af94b4d98d477f6baeb0c42f7ebc6e8
Instruction ID: 18eb7e55377c5dd774e68a565e739eac659fb002d85b33cd0653cf24f1ffa41a
Opcode Fuzzy Hash: 03748ec61124c5a65a520c9ea28b533d7af94b4d98d477f6baeb0c42f7ebc6e8
Instruction Fuzzy Hash: 7D117C30C40659E7DF08AFE5E9596EFBF78FF09322F009486D981B2241CB305550DB51

Function 00617E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00617E33
ScreenToClient.USER32(?,?), ref: 00617E4B
ScreenToClient.USER32(?,?), ref: 00617E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00617E8A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: a8161704bf123bb10c0a6c788c99fb5d9242fcdee2b8d5a0c9b9d760c9a58027
Instruction ID: 7fc86d3fac73ecd03671400a38a0f2b5cff6708953ff3e1aa88a5ad15fdcc372
Opcode Fuzzy Hash: a8161704bf123bb10c0a6c788c99fb5d9242fcdee2b8d5a0c9b9d760c9a58027
Instruction Fuzzy Hash: C61156B9D0024AAFDB41CF98C8849EEBBF5FF18310F549056E915E3210D775AA54CF90

Function 005E2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 005E2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 005E2DD6
GetCurrentThreadId.KERNEL32 ref: 005E2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 005E2DE4

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 56b6e741028e7d1f3a19ef89598b615cbee2467684b9170669f76514c253f08f
Instruction ID: b1f4f9f2f6518765b484652d3d98908395f770af4a3b06d3caf94a3746ad94a9
Opcode Fuzzy Hash: 56b6e741028e7d1f3a19ef89598b615cbee2467684b9170669f76514c253f08f
Instruction Fuzzy Hash: 48E06DB15812247AD7241B639C0EEEB3E6DFB42BB1F045116B205D1084DAA08841D6F0

Function 00618863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00599639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00599693
Part of subcall function 00599639: SelectObject.GDI32(?,00000000), ref: 005996A2
Part of subcall function 00599639: BeginPath.GDI32(?), ref: 005996B9
Part of subcall function 00599639: SelectObject.GDI32(?,00000000), ref: 005996E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00618887
LineTo.GDI32(?,?,?), ref: 00618894
EndPath.GDI32(?), ref: 006188A4
StrokePath.GDI32(?), ref: 006188B2

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: a7b5b8fba77a2badbf6f1e5192b981f3eaa622098b7df950bc315340e2397786
Instruction ID: 645990a6773df07f8de3a42e09bd5c3acd658ffd055d539840b4289d06117118
Opcode Fuzzy Hash: a7b5b8fba77a2badbf6f1e5192b981f3eaa622098b7df950bc315340e2397786
Instruction Fuzzy Hash: BAF05E36081259FADB125F94AC0EFCE3F5AAF0A322F08C001FA11651E1C7755551CFE9

Function 005998B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 005998CC
SetTextColor.GDI32(?,?), ref: 005998D6
SetBkMode.GDI32(?,00000001), ref: 005998E9
GetStockObject.GDI32(00000005), ref: 005998F1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 22ace57b590d5cb113d4ef42a6d3dbb3dc02276a0d6d4848ce57717b23ebc885
Instruction ID: 562fa9c6611d0ab9d9ba8420049efcec0d8d5ec91df43336657066b3f23715bc
Opcode Fuzzy Hash: 22ace57b590d5cb113d4ef42a6d3dbb3dc02276a0d6d4848ce57717b23ebc885
Instruction Fuzzy Hash: FDE03931284284AADB215B78AC0ABEC3F22AB16336F18D21BF6BA580E1C37146509B11

Function 005E162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 005E1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,005E11D9), ref: 005E163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005E11D9), ref: 005E1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,005E11D9), ref: 005E164F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 7e1a6c71603da86cd343512b4415e4430d3f0ef2952da9116d589793a6831edb
Instruction ID: 9c72189b549de8a8857e3636592260d052b66dfdbd399c17c84386f65c6aa79f
Opcode Fuzzy Hash: 7e1a6c71603da86cd343512b4415e4430d3f0ef2952da9116d589793a6831edb
Instruction Fuzzy Hash: C4E08631641211DBD7201FA19D0DFCA3F7DBF447A2F18D809F285C9080D6344540C754

Function 005DD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005DD858
GetDC.USER32(00000000), ref: 005DD862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005DD882
ReleaseDC.USER32(?), ref: 005DD8A3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7b39e588f5c329567ae8139d429a4cf90d0f508b26f2b0aa14a31c0dbd1d6625
Instruction ID: 5d1a940719f389248bb701d84a22c1f8a5dc06bde7d7a4eff199838c084549f9
Opcode Fuzzy Hash: 7b39e588f5c329567ae8139d429a4cf90d0f508b26f2b0aa14a31c0dbd1d6625
Instruction Fuzzy Hash: DAE01AB4840205EFCF41AFA0D90C6ADBFB2FB08321F18E40AE80AE7350C7384901AF90

Function 005DD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 005DD86C
GetDC.USER32(00000000), ref: 005DD876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 005DD882
ReleaseDC.USER32(?), ref: 005DD8A3

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f8e2ee4d9252d507ac03ea6cf16a43b112925d411448efdeef50b4841bc48c8d
Instruction ID: 267ddbd8645ee6209d6e3892f9024b1a751696e77034bb62c95981f51098068e
Opcode Fuzzy Hash: f8e2ee4d9252d507ac03ea6cf16a43b112925d411448efdeef50b4841bc48c8d
Instruction Fuzzy Hash: CEE09A75D40205DFCF51AFA0D90C6ADBFB6BB48321B18A44AE94AE7250D73959019F90

Function 005F4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00587620: _wcslen.LIBCMT ref: 00587625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 005F4ED4

Strings

*, xrefs: 005F4E10
LPT, xrefs: 005F4DFB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 58f9adaef3c15ee9cda0e9687592855fe752269209f8cd212e9ea34f78725153
Instruction ID: ff292c81ac8951ceef8b1658cdadeb04bef7e8ed5d1b0161e4681edc8df5931c
Opcode Fuzzy Hash: 58f9adaef3c15ee9cda0e9687592855fe752269209f8cd212e9ea34f78725153
Instruction Fuzzy Hash: 35914A75A002099FCB14DF58C484EAABFF5BF48314F188099E90A9B362D735ED85CF91

Function 005AE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005AE30D

Strings

pow, xrefs: 005AE2E5, 005AE302

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: bee6adec460aa11049e19fcee72ed18fea758b216ae2b705b07fca8b22d4627d
Instruction ID: 1a3ff8e51ccf194df9acb615e096ff8bfc711fc3686b4ef104556dff757cf73a
Opcode Fuzzy Hash: bee6adec460aa11049e19fcee72ed18fea758b216ae2b705b07fca8b22d4627d
Instruction Fuzzy Hash: 1A515C61A0C6079ACF257724C9473FD3F98FFC5780F308D99E0D5462A9EB34AC919A46

Function 00607771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(005D569E,00000000,?,0061CC08,?,00000000,00000000), ref: 006078DD

Part of subcall function 00586B57: _wcslen.LIBCMT ref: 00586B6A

CharUpperBuffW.USER32(005D569E,00000000,?,0061CC08,00000000,?,00000000,00000000), ref: 0060783B

Strings

<sd, xrefs: 006077C8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sd
API String ID: 3544283678-2633845394
Opcode ID: fed7c8d048d4c16504e98ba55da156f1db825ce462ff5e969105df9cd619c4e3
Instruction ID: 9ca54bdacf35dabbfe5e83da0e6a5be4de52f94c65a2639942c5afde7680a345
Opcode Fuzzy Hash: fed7c8d048d4c16504e98ba55da156f1db825ce462ff5e969105df9cd619c4e3
Instruction Fuzzy Hash: A2615D7295411AEACF08FBA4CC99DFEBB79BF54700F544525E942B3191EF206A06CBA0

Function 0059E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0059E1B1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: f0b801e7e417a9ca3a820b861c475175dedd8b66407b678097a04478314ac052
Instruction ID: 7c5fec3bc0161918977e26b593ee9058667a9bdf3c79c08f5e0c8a9b213b5653
Opcode Fuzzy Hash: f0b801e7e417a9ca3a820b861c475175dedd8b66407b678097a04478314ac052
Instruction Fuzzy Hash: EE51FE39900286DBDF25EF28C4866FA7FA9FF65310F644057E891AF290D6349D42CBA0

Function 0059F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0059F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0059F2BB

Strings

@, xrefs: 0059F2AF

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 28d07bce2fe612fe2b7a7fc329af199d7f228700007f630ad68f05d9ea5d12d2
Instruction ID: b2e955a251f2807749a7cfb3fef992d876277ced32c76ffbcd4a786b30edb0a9
Opcode Fuzzy Hash: 28d07bce2fe612fe2b7a7fc329af199d7f228700007f630ad68f05d9ea5d12d2
Instruction Fuzzy Hash: 515157714087499BE320AF10E88ABAFBBF8FFC4304F91884DF59951195EB308529CB66

Function 00605745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 006057E0
_wcslen.LIBCMT ref: 006057EC

Strings

CALLARGARRAY, xrefs: 006057E6, 006057EB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 3075de71d019c34aa811dcfa5698fb1bfa974a0b1304b8b65ff386d99fea9e98
Instruction ID: 4de20cafc42e244da985b4d29bac8cf18623e5dc50e2960eca4e948b6e3eb804
Opcode Fuzzy Hash: 3075de71d019c34aa811dcfa5698fb1bfa974a0b1304b8b65ff386d99fea9e98
Instruction Fuzzy Hash: 57417031A4011A9FCB08DFA9C8858EFBBB6FF99350F148059E906A7291E7709D81CF90

Function 005FD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 005FD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005FD13A

Strings

|, xrefs: 005FD10B

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 3b5d03a4ec45007e13e65ca0e372d04772567e706beca8c35a1d4cc3350acd59
Instruction ID: b1dca8f68c06ffe2847efd041986c4400e3d11ab4e060524dc40ae56b93bd632
Opcode Fuzzy Hash: 3b5d03a4ec45007e13e65ca0e372d04772567e706beca8c35a1d4cc3350acd59
Instruction Fuzzy Hash: EB310871D0020AABCF15EFA4CC89EEEBFBAFF45300F000019E915B6161D735AA16DB60

Function 0061356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00613621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0061365C

Strings

static, xrefs: 006135BC

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 3945ff4591683b8438ef693c08d78ddc9c8b463f6afbb767e07a93010ec766ac
Instruction ID: 0ca825789b1961a709b284ebac89c963d04e8c6965b6f350c59399684d9722a8
Opcode Fuzzy Hash: 3945ff4591683b8438ef693c08d78ddc9c8b463f6afbb767e07a93010ec766ac
Instruction Fuzzy Hash: BC319E71100204AEDB10DF78DC81EFB77AAFF88764F149619F9A6D7290DA31AD91C7A0

Function 00614537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0061461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00614634

Strings

', xrefs: 0061458E

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 2e93cfe435855464bf5cc47d0406ece3862f91652ffbb185b957188ee3f062b2
Instruction ID: 3116bb459cea5795131d810d084b12fb8c3f9e6661c9b4078c9124e2fe74809d
Opcode Fuzzy Hash: 2e93cfe435855464bf5cc47d0406ece3862f91652ffbb185b957188ee3f062b2
Instruction Fuzzy Hash: 31311A74A0130A9FDF14CF69C990BDA7BB6FF49344F18406AE905AB351DB70A941CF90

Function 006131EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0061327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00613287

Strings

Combobox, xrefs: 00613249

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d919a6899d9446bc4ef6616c0ed26a24274d13a014dc2ef9b2fa733dd1060fd8
Instruction ID: cef1d8e5d67e2817acdf171c794a7b3fae2634f74225aeee234cae4013642af5
Opcode Fuzzy Hash: d919a6899d9446bc4ef6616c0ed26a24274d13a014dc2ef9b2fa733dd1060fd8
Instruction Fuzzy Hash: 7B11B2713002197FEF21AF54DC85EFB3B6BEB98364F144129F919A7390D6319E918760

Function 00613710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0058600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0058604C
Part of subcall function 0058600E: GetStockObject.GDI32(00000011), ref: 00586060
Part of subcall function 0058600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0058606A

GetWindowRect.USER32(00000000,?), ref: 0061377A
GetSysColor.USER32(00000012), ref: 00613794

Strings

static, xrefs: 00613757

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 1840f39a56230e52276d10685dd0bf09a1dbe754252d35185582bc7ab9c514b8
Instruction ID: c76c0502d87d575727db693b467c67d427768f2523013652de4201afbdf071a0
Opcode Fuzzy Hash: 1840f39a56230e52276d10685dd0bf09a1dbe754252d35185582bc7ab9c514b8
Instruction Fuzzy Hash: B41159B261021AAFDB01DFA8CC46AEE7BBAFB08314F044515F956E2250E734E8519B50

Function 005FCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005FCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005FCDA6

Strings

<local>, xrefs: 005FCD66

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 3b1badb956de4d2b8bc1902e3529af58e66d50b224854bf3ef1414b845aef938
Instruction ID: 7f2d9f0e7dc778ab9918ab213d1cd605fb036f981b8005d61156eb6b29d45033
Opcode Fuzzy Hash: 3b1badb956de4d2b8bc1902e3529af58e66d50b224854bf3ef1414b845aef938
Instruction Fuzzy Hash: 0311A07124567DBAD7284B668C49EFBBEA9FF127B4F00463AB209C3180D6789841D6F0

Function 00613429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006134AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006134BA

Strings

edit, xrefs: 0061348F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d4f67ff8bb15e84e146c6fa153debf7a29eaf2a41db7892aee02aa4692c957cd
Instruction ID: 313520e4e512b90d48caf816f795216ae3ad79e4c04ed0eb06c35616a750f00c
Opcode Fuzzy Hash: d4f67ff8bb15e84e146c6fa153debf7a29eaf2a41db7892aee02aa4692c957cd
Instruction Fuzzy Hash: EE11BF71100218AFEB218F64DC44AEB37ABEB15374F544324F962933E0C731DC919750

Function 005E6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

CharUpperBuffW.USER32(?,?,?), ref: 005E6CB6
_wcslen.LIBCMT ref: 005E6CC2

Strings

STOP, xrefs: 005E6CBC, 005E6CC1

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: db6f6cb5abe67218d13e1423ab1e587f1d18c82132d43d750bbb2ea97a5ef121
Instruction ID: 04a2dabece942dc02ae92234a380a87307a3b5fd5fc02e73b43f97150175ace5
Opcode Fuzzy Hash: db6f6cb5abe67218d13e1423ab1e587f1d18c82132d43d750bbb2ea97a5ef121
Instruction Fuzzy Hash: 5C0104326005678BCB24AFBECC858BF7FA5FAB17D07900929E892A2191EA31DC00C750

Function 005E1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005E1D4C

Strings

ListBox, xrefs: 005E1D16
ComboBox, xrefs: 005E1CEB

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 91a0eda6ca7a9eabbe6369b04c94490c031f94beb974803b657be72fbe7fb05f
Instruction ID: 01ebe2ea564940a5dcc37f3dbdec1eea41cdea4528effd71389b60cd4836b44f
Opcode Fuzzy Hash: 91a0eda6ca7a9eabbe6369b04c94490c031f94beb974803b657be72fbe7fb05f
Instruction Fuzzy Hash: 8E01D871601619ABCB0CFBA5CD59CFE7B69FF86350B14091AF8B2672C1EA3159088760

Function 005E1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 005E1C46

Strings

ListBox, xrefs: 005E1C10
ComboBox, xrefs: 005E1BE5

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f99b5bbf20dddd8ad748d1ae45658a0a6dde9a0ab5087e11f28cbc6c48c92110
Instruction ID: b53a9e540cc44b2031671c736bc61004915081330b5ddabb92c03831e9e1951d
Opcode Fuzzy Hash: f99b5bbf20dddd8ad748d1ae45658a0a6dde9a0ab5087e11f28cbc6c48c92110
Instruction Fuzzy Hash: 8E01FC71B8114567CB08F791C95A9FF7BA8BF51340F240015B88AB3181EA319E0887B5

Function 005E1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 005E1CC8

Strings

ListBox, xrefs: 005E1C94
ComboBox, xrefs: 005E1C69

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7045960f24c83f8b50076f1a2c9e880a780b3c81f80024aa8d9d7c05bed0a94f
Instruction ID: c55bcb458d57e1462431b367455e77b5215581baaad29ebe2be058d87f4f8d37
Opcode Fuzzy Hash: 7045960f24c83f8b50076f1a2c9e880a780b3c81f80024aa8d9d7c05bed0a94f
Instruction Fuzzy Hash: 6A01DBB1A8155567DB08F791CA1AAFE7BA8BF51380F240015BC46B3281EA319F08C775

Function 0059A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0059A529

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Strings

,%e, xrefs: 0059A509
3y], xrefs: 0059A545, 0059A54D, 0059A552

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%e$3y]
API String ID: 2551934079-1905814648
Opcode ID: 4460d626c346ca263dbfb144c213f953a564fc41fc66bb7c8b557bcb9929a994
Instruction ID: 202ceedc26fb9df02e777ab68f4292db79605974d79f31cb5a7d60c65ef2b109
Opcode Fuzzy Hash: 4460d626c346ca263dbfb144c213f953a564fc41fc66bb7c8b557bcb9929a994
Instruction Fuzzy Hash: 2A012632B006228BCE04F768EC5FABD3F55FB86721F451428F906671C2EE109D418AE7

Function 005E1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00589CB3: _wcslen.LIBCMT ref: 00589CBD

Part of subcall function 005E3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 005E3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 005E1DD3

Strings

ListBox, xrefs: 005E1DA0
ComboBox, xrefs: 005E1D75

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 7889f9fc98986e9c3b7d4f89cc9010cc751b30af8c4fb212bef69c19fc8c8c02
Instruction ID: 4739c240e1453bbb6c78f77d30d1aebd6e92d8da90726cbd416b54cb90b37b5a
Opcode Fuzzy Hash: 7889f9fc98986e9c3b7d4f89cc9010cc751b30af8c4fb212bef69c19fc8c8c02
Instruction Fuzzy Hash: D4F0F4B1A4161A67DB08F7A5CD5AAFE7B68BF42350F080915B862732C2EA7199088764

Function 00618172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00653018,0065305C), ref: 006181BF
CloseHandle.KERNEL32 ref: 006181D1

Strings

\0e, xrefs: 0061818A

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0e
API String ID: 3712363035-2021240290
Opcode ID: a9ec03087abd1a8257b0829a2f5b131c118e5240ad5751d55c0bd63cef2f476b
Instruction ID: 2a818f59ba254d6304f405f2201aa4a637abc5126cce01adc6cb4e983ccf86fe
Opcode Fuzzy Hash: a9ec03087abd1a8257b0829a2f5b131c118e5240ad5751d55c0bd63cef2f476b
Instruction Fuzzy Hash: B4F089B1640320BEE710AB656C4AFBB3E5EEB05FA6F005421BF08D52E1D6758E1483F4

Function 0060747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00607493
_wcslen.LIBCMT ref: 006074B9

Strings

3, 3, 16, 1, xrefs: 00607483

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 0f8385643e5e52935e3aff54a115a26159879e3887356c55af2fa5bf00aee68e
Instruction ID: 8f5a5c5b856edb5d40c2f48a68f572a07f088816b81728140a858f0a67426fe5
Opcode Fuzzy Hash: 0f8385643e5e52935e3aff54a115a26159879e3887356c55af2fa5bf00aee68e
Instruction Fuzzy Hash: A5E02B02A4426114D33516B99CC59BF9ECFDFC6750710182BF981C23A6EAD4ADA193A0

Function 005E0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005E0B23

Strings

Error allocating memory., xrefs: 005E0B1C
AutoIt, xrefs: 005E0B17

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 342d696fc383d4aa68a78bc5937fe8c1cceb8b59f6028425c04e8e596b69ac8a
Instruction ID: 4ede93399307f3ae51ee2d04c245d49cebc6e71f13404fd2dd12907127778d28
Opcode Fuzzy Hash: 342d696fc383d4aa68a78bc5937fe8c1cceb8b59f6028425c04e8e596b69ac8a
Instruction Fuzzy Hash: 80E0D83128434927D31436947C07FCD7E8AAF46F20F140426FB88D54C38AD2649007E9

Function 005A0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0059F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005A0D71,?,?,?,0058100A), ref: 0059F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0058100A), ref: 005A0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0058100A), ref: 005A0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005A0D7F

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b340b0123fb8561164e094fb7a006a904c3091dc5ffcb92cf44d5f96d103a828
Instruction ID: 5f8210a09de4db085c5adfcddcc20ba47276b1bda703b1c2359891ee19c5aba9
Opcode Fuzzy Hash: b340b0123fb8561164e094fb7a006a904c3091dc5ffcb92cf44d5f96d103a828
Instruction Fuzzy Hash: A5E06D742007018BD7609FB8D40838A7FE1BB01744F04992DE486C66A1DBB5E4888B91

Function 0059E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0059E3D5

Strings

8%e, xrefs: 0059E3CA
0%e, xrefs: 0059E3B5

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%e$8%e
API String ID: 1385522511-3821002725
Opcode ID: f45f6209c3cd482c205fe6ee0cc7f2f169f2fd32f1c83d3e57d4e5b27ea058b0
Instruction ID: 8ceef89706a1fa771ddb4af791a60f86b09a5fbd0aa590ddfd2615ada61bf67c
Opcode Fuzzy Hash: f45f6209c3cd482c205fe6ee0cc7f2f169f2fd32f1c83d3e57d4e5b27ea058b0
Instruction Fuzzy Hash: 44E08635414B12CBCF04DF18F87AA9C3B57FB57321F502965E5128B1D1BB3038818655

Function 005F3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 005F302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 005F3044

Strings

aut, xrefs: 005F3038

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: ec33ad5f7bcfc829caa5e09b7985bc2b3128a2a1c97a15d2f7dbf38adad3b0f0
Instruction ID: 666adfac950e5177cd147c7bdc1623bbfee17d195470bae8952a3d3d19b0fea4
Opcode Fuzzy Hash: ec33ad5f7bcfc829caa5e09b7985bc2b3128a2a1c97a15d2f7dbf38adad3b0f0
Instruction Fuzzy Hash: 8DD05EB254032867DB20A7A4AC0EFCB3A6CDB05760F0002A2B655E20A1DAF09A84CAD0

Function 005DD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005DD220

Strings

%.3d, xrefs: 005DD22B
X64, xrefs: 005DD2A8

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 3d05c6721c25b5936604f9e6c64aac99faec4a0d9062bc522a410041f26c2c58
Instruction ID: 0be81f10fd620b03048ae592d905ff65f9f9e80d3573b7d4fc3f88e7650b0a78
Opcode Fuzzy Hash: 3d05c6721c25b5936604f9e6c64aac99faec4a0d9062bc522a410041f26c2c58
Instruction Fuzzy Hash: 66D012A5848109EACFA0DAD4CC498FDBB7CFB18341F508853F806D1140E634C5086771

Function 00612356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0061236C
PostMessageW.USER32(00000000), ref: 00612373

Part of subcall function 005EE97B: Sleep.KERNEL32 ref: 005EE9F3

Strings

Shell_TrayWnd, xrefs: 00612365

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a75239c9ad436fa7ebebc2783d8e7aa0562e8be6db10f69fd4c48eb5cac033a5
Instruction ID: d176b265a682d6e6ddf01c231634b20d47afffb6d59288e0833489bed816e163
Opcode Fuzzy Hash: a75239c9ad436fa7ebebc2783d8e7aa0562e8be6db10f69fd4c48eb5cac033a5
Instruction Fuzzy Hash: 89D0A9323C03007AE368A371DC0FFCAAA06AB00B20F0089027241EA0D0C8A0A800CA44

Function 00612322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0061232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0061233F

Part of subcall function 005EE97B: Sleep.KERNEL32 ref: 005EE9F3

Strings

Shell_TrayWnd, xrefs: 00612325

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d456f348369beae6f00c0803dc9d79059250b57cc83c952bfdfd22022df33a52
Instruction ID: 9244b57439177c9ea0712f6ba960dc4024b26fd7413f6c0b96b4d8207ef95528
Opcode Fuzzy Hash: d456f348369beae6f00c0803dc9d79059250b57cc83c952bfdfd22022df33a52
Instruction Fuzzy Hash: 31D022323D0300BBE368B371DC0FFCABA06AB00B20F0089037345EA0D0C8F0A800CA40

Function 005BBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 005BBE93
GetLastError.KERNEL32 ref: 005BBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 005BBEFC

Memory Dump Source

Source File: 00000000.00000002.1373724657.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.1373661245.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.000000000061C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374093276.0000000000642000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374669936.000000000064C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1374718527.0000000000654000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 39075770a62c876b8b9e1971515d70eb8d48675152ff084dfb1e7a2e9793c688
Instruction ID: ad0935635b3d1796ff2c1fc37de5135a8d2ed5dbc8361830454100fa21bf953b
Opcode Fuzzy Hash: 39075770a62c876b8b9e1971515d70eb8d48675152ff084dfb1e7a2e9793c688
Instruction Fuzzy Hash: 8441A534604206AFEF218FA5CC84AFE7FA9BF42720F144169F959571A1DBF1AD01DB60

Source: Joe Sandbox View	IP Address: 151.101.1.91 151.101.1.91
Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000F.00000003.1509144918.00000279FBB4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1509144918.00000279FBB4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1509144918.00000279FBB4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1509144918.00000279FBB4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1509144918.00000279FBB4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1421919141.0000027A00F69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1498235079.0000027A02BB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1541755011.0000027A02BBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1462172149.0000027A02BB6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1493118193.0000027A031A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535775485.0000027A031A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513549355.0000027A031A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1506287140.0000027A00165000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1506287140.0000027A00165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1515534830.0000027A00129000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1503588054.0000027A02A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1506287140.0000027A00165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1515534830.0000027A00153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1503588054.0000027A02A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1498235079.0000027A02BB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1504929210.0000027A00E95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1541755011.0000027A02BBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1493118193.0000027A031A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535775485.0000027A031A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1513549355.0000027A031A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1533269484.00000279F7C74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1533269484.00000279F7C74000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1506287140.0000027A00165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1515534830.0000027A00129000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1503588054.0000027A02A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1506287140.0000027A00165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1515534830.0000027A00153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1503588054.0000027A02A8C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1547100797.00000279FB5BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2565207170.000002476190A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1547100797.00000279FB5BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2565207170.000002476190A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000000F.00000003.1553694812.00000279F9976000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1547100797.00000279FB5BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.2565207170.000002476190A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1536191119.0000027A03113000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1498235079.0000027A02BB6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1533269484.00000279F7C9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1552536922.0000027A014BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000F.00000003.1493118193.0000027A031A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1520505248.00000279F9B6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1535775485.0000027A031A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1552536922.0000027A014BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1543168957.0000027A014BB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000003.1504929210.0000027A00E3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000F.00000003.1463507626.0000027A00E3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49769 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.91:443 -> 192.168.2.7:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49896 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49893 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49897 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49898 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49906 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49905 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6f4a5942-9bea-42d7-833d-41b2024515a8.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_6f4a5942-9bea-42d7-833d-41b2024515a8.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre