Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1562858
MD5:	0f6832047e7bced4a803541e7c53fd0f
SHA1:	d384c8fd05f725f0557b74d471a07658e177d40d
SHA256:	d04d6399b3c5ae64db783bee5a7ff7e996c157c149ebb8126a4c3b8777411900
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 4948 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 0F6832047E7BCED4A803541E7C53FD0F)

taskkill.exe (PID: 5104 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7196 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7252 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7316 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7380 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7444 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7476 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7488 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7732 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65155996-2b93-46e9-ae4e-1c1110218147} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 192f6c70710 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7288 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -parentBuildID 20230927232528 -prefsHandle 3760 -prefMapHandle 1472 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ddfb0ec-930d-44cc-b925-82879c9ace8a} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 19289111510 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8188 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4972 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4968 -prefMapHandle 4952 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90187dd2-4e8f-474f-9614-3c8c610e39d8} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 19288829510 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 4948	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_004BEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_004BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_004BED6A

Source: C:\Users\user\Desktop\file.exe

0_2_004BEAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_004AAA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004D9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_004D9576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_267981c6-c
Source: file.exe, 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_64807844-e
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c1957992-6
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3effe875-9

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000027F08A440F7 NtQuerySystemInformation,		24_2_0000027F08A440F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000027F08A694F2 NtQuerySystemInformation,		24_2_0000027F08A694F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AD5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_004AD5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_004A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004AE8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044BF40	0_2_0044BF40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B2046	0_2_004B2046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00448060	0_2_00448060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A8298	0_2_004A8298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047E4FF	0_2_0047E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047676B	0_2_0047676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D4873	0_2_004D4873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044CAF0	0_2_0044CAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046CAA0	0_2_0046CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045CC39	0_2_0045CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00476DD9	0_2_00476DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045B119	0_2_0045B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004491C0	0_2_004491C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00461394	0_2_00461394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00461706	0_2_00461706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046781B	0_2_0046781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045997D	0_2_0045997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00447920	0_2_00447920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004619B0	0_2_004619B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00467A4A	0_2_00467A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00461C77	0_2_00461C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00467CA7	0_2_00467CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004CBE44	0_2_004CBE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00479EEE	0_2_00479EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00461F32	0_2_00461F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000027F08A440F7	24_2_0000027F08A440F7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000027F08A694F2	24_2_0000027F08A694F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000027F08A69C1C	24_2_0000027F08A69C1C
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 24_2_0000027F08A69532	24_2_0000027F08A69532

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00449CB3 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0045F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00460A30 appears 46 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal72.troj.evad.winEXE@34/34@75/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B37B5 GetLastError,FormatMessageW,

0_2_004B37B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A10BF AdjustTokenPrivileges,CloseHandle,		0_2_004A10BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004A16C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_004B51CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_004AD4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_004B648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_004442A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user~1\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 00000013.00000003.1399891875.000001928F2A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe

Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65155996-2b93-46e9-ae4e-1c1110218147} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 192f6c70710 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -parentBuildID 20230927232528 -prefsHandle 3760 -prefMapHandle 1472 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ddfb0ec-930d-44cc-b925-82879c9ace8a} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 19289111510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4972 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4968 -prefMapHandle 4952 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90187dd2-4e8f-474f-9614-3c8c610e39d8} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 19288829510 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65155996-2b93-46e9-ae4e-1c1110218147} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 192f6c70710 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -parentBuildID 20230927232528 -prefsHandle 3760 -prefMapHandle 1472 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ddfb0ec-930d-44cc-b925-82879c9ace8a} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 19289111510 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4972 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4968 -prefMapHandle 4952 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90187dd2-4e8f-474f-9614-3c8c610e39d8} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 19288829510 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: webauthn.pdb source: firefox.exe, 00000013.00000003.1367154569.0000019284383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.19.dr
Source:	Binary string: wshbth.pdbGCTL source: firefox.exe, 00000013.00000003.1392699683.0000019293357000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 00000013.00000003.1392108374.000001929334C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1392229811.000001929334D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdb source: firefox.exe, 00000013.00000003.1392108374.0000019293307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wshbth.pdb source: firefox.exe, 00000013.00000003.1392699683.0000019293357000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 00000013.00000003.1392108374.000001929334C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1392229811.000001929334D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 00000013.00000003.1390201780.0000019284383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.19.dr
Source:	Binary string: webauthn.pdbGCTL source: firefox.exe, 00000013.00000003.1367154569.0000019284383000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpnsp.pdbUGP source: firefox.exe, 00000013.00000003.1392108374.0000019293307000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 00000013.00000003.1390201780.0000019284383000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Source: gmpopenh264.dll.tmp.19.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00460A76 push ecx; ret

0_2_00460A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0045F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0045F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_004D1C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-94905

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 24_2_0000027F08A440F7 rdtsc

24_2_0000027F08A440F7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.7 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_004ADBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047C2A2 FindFirstFileExW,	0_2_0047C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B68EE FindFirstFileW,FindClose,	0_2_004B68EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_004B698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004AD076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004AD3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004B9642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_004B979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_004B9B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004B5C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_004B5C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Source: firefox.exe, 00000019.00000002.2514168831.0000022277D6A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`?
Source: firefox.exe, 00000015.00000002.2516259930.000001783840A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: firefox.exe, 00000015.00000002.2525249551.0000017838D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVb
Source: firefox.exe, 00000018.00000002.2513818072.0000027F080DA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPf
Source: firefox.exe, 00000015.00000002.2516259930.000001783840A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2522248088.0000027F08920000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2522967258.0000022278140000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000013.00000003.1487336062.00000192FFDC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2523999111.000001783891D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000015.00000002.2525249551.0000017838D40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2522248088.0000027F08920000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 24_2_0000027F08A440F7 rdtsc

24_2_0000027F08A440F7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004BEAA2 BlockInput,

0_2_004BEAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00472622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00472622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00464CE8 mov eax, dword ptr fs:[00000030h]

0_2_00464CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_004A0B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00472622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00472622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0046083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0046083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004609D5 SetUnhandledExceptionFilter,	0_2_004609D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00460C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00460C21

Source: C:\Users\user\Desktop\file.exe

0_2_004A1201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00482BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00482BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004AB226 SendInput,keybd_event,

0_2_004AB226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_004C22DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_004A0B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004A1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_004A1663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 00000013.00000003.1371970193.0000019293362000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hSoftware\Policies\Microsoft\Windows\PersonalizationNoChangingStartMenuBackgroundPersonalColors_BackgroundWilStaging_02RtlDisownModuleHeapAllocationRtlQueryFeatureConfigurationRtlRegisterFeatureConfigurationChangeNotificationRtlSubscribeWnfStateChangeNotificationRtlDllShutdownInProgressntdll.dllNtQueryWnfStateDataLocal\SM0:%d:%d:%hs_p0Local\SessionImmersiveColorPreferenceBEGINTHMthmfile\Sessions\%d\Windows\ThemeSectionMessageWindowendthemewndThemeApiConnectionRequest\ThemeApiPortwinsta0SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\PersonalizeAppsUseLightThemeSystemUsesLightThemedefaultshell\themes\uxtheme\render.cppCompositedWindow::WindowdeletedrcacheMDIClientSoftware\Microsoft\Windows\DWMColorPrevalenceSoftware\Microsoft\Windows\CurrentVersion\ImmersiveShellTabletModeMENUAccentColorSoftware\Microsoft\Windows\CurrentVersion\Explorer\AccentDefaultStartColorControl Panel\DesktopAutoColorizationAccentColorMenuStartColorMenuAutoColorSoftware\Microsoft\Windows\CurrentVersion\Themes\History\ColorsSoftware\Microsoft\Windows\CurrentVersion\Themes\HistoryAccentPaletteTab$Shell_TrayWndLocal\SessionImmersiveColorMutex

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00460698 cpuid

0_2_00460698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004B8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_004B8195

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0049D27A GetUserNameW,

0_2_0049D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0047B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0047B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004442DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004442DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4948, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 4948, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_004C1204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_004C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	37%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.193	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.193.91	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.78	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	172.217.19.174	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.193.140	true	false	high
ipv4only.arpa	192.0.0.170	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/#/properties/proposedEnrollment	firefox.exe, 00000013.00000003.1340656195.0000019287E93000.00000004.00000800.00020000.00000000.sdmp	false	high
http://detectportal.firefox.com/	firefox.exe, 00000013.00000003.1482933273.00000192880A2000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/1http://mozilla.org/#/properties/targeting	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/schemaVersion	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000015.00000002.2519126097.0000017838772000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2515423140.0000027F08386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516739401.000002227808F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com/spocs	firefox.exe, 00000013.00000003.1492874315.000001928A374000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill	firefox.exe, 00000013.00000003.1396532977.0000019292BE5000.00000004.00000800.00020000.00000000.sdmp	false	high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 00000013.00000003.1485157125.000001928749F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 00000013.00000003.1461925556.0000019292773000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestBlockingEnabledhttp://mozilla.org/#/properties/quickSugg	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://xhr.spec.whatwg.org/#sync-warning	firefox.exe, 00000013.00000003.1333573204.000001928F430000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 00000013.00000003.1481503827.000001928F5AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1490725929.000001928F5B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1310673859.0000019286B7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1434648427.0000019288731000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1310174715.0000019286900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1310429302.0000019286B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1452988458.000001928872F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1470148474.000001928F5AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1310538137.0000019286B60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1310316390.0000019286B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1463873318.000001928F5AA000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/userFacingName	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestSponsoredEnabled	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/mozilla-services/screenshots	firefox.exe, 00000013.00000003.1310174715.0000019286900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1310429302.0000019286B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1310538137.0000019286B60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1310316390.0000019286B21000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/proposedDurationhttp://mozilla.org/#/properties/startDatehttp://mozi	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	firefox.exe, 00000013.00000003.1480961871.00000192883F8000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/outcomes/items	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestSponsoredIndex	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 00000013.00000003.1473164337.00000192896E6000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
http://exslt.org/common	firefox.exe, 00000013.00000003.1467344352.00000192FFC8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1460406177.00000192FFC8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1474290691.00000192FFC8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1487595117.00000192FFC8A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 00000013.00000003.1333573204.000001928F441000.00000004.00000800.00020000.00000000.sdmp	false	high
http://exslt.org/dates-and-times	firefox.exe, 00000013.00000003.1488129740.00000192FFC61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1460406177.00000192FFC54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1467344352.00000192FFC54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1474845841.00000192FFC54000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/csvImport	firefox.exe, 00000013.00000003.1340494893.0000019287E9F000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://MD8.mozilla.org/1/m	firefox.exe, 00000013.00000003.1480961871.00000192883CB000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/featureIds/itemshttp://mozilla.org/#/properties/branches	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 00000013.00000003.1482001174.000001928F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2515423140.0000027F083C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516739401.00000222780C4000.00000004.00000800.00020000.00000000.sdmp	false	high
https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152	firefox.exe, 00000013.00000003.1435218324.0000019288644000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mo	firefox.exe, 00000013.00000003.1465933469.00000192896A1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://spocs.getpocket.com/	firefox.exe, 00000013.00000003.1492874315.000001928A374000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2515423140.0000027F08312000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516739401.0000022278013000.00000004.00000800.00020000.00000000.sdmp	false	high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/featureI	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/endDate	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/addonsFeatureGate	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/#/properties/addonsShowLessFrequentlyCap	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabled	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThresholdhttp://mozilla.org/#/propert	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 00000013.00000003.1400655138.000001928F07A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://monitor.firefox.com/about	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnithttp://mozilla.org/#/proper	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/enrollmentEndDate	firefox.exe, 00000013.00000003.1340656195.0000019287E93000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/proposedDurationhttp://mozilla.org/#/properties/startDate	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.zhihu.com/	firefox.exe, 00000013.00000003.1471736611.000001928F0BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1400655138.000001928F0BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1479370472.000001928F0BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1444010721.000001928F0BF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.c.lencr.org/0	firefox.exe, 00000013.00000003.1395622059.0000019292CCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1400058627.000001928F274000.00000004.00000800.00020000.00000000.sdmp	false	high
http://x1.i.lencr.org/0	firefox.exe, 00000013.00000003.1395622059.0000019292CCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1400058627.000001928F274000.00000004.00000800.00020000.00000000.sdmp	false	high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 00000013.00000003.1330565608.000001928F14F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1412511858.000001928F148000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/outcomes	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://duckduckgo.com/?t=ffab&q=	firefox.exe, 00000013.00000003.1399761649.000001928FC1E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestShouldShowOnboardingDialoghttp://mozilla.org/#/propertie	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/bucketConfig/properties/namespacehttp://mozilla.org/#/properties/out	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://identity.mozilla.com/apps/relay	firefox.exe, 00000013.00000003.1466817308.0000019288A0B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 00000013.00000003.1401388095.000001928A13C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 00000013.00000003.1313047535.0000019286733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1312071379.0000019286733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1312794536.000001928672F000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 00000013.00000003.1482001174.000001928F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1492874315.000001928A366000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://screenshots.firefox.com/	firefox.exe, 00000013.00000003.1310316390.0000019286B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1460314785.00000192FFDF0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://gpuweb.github.io/gpuweb/	firefox.exe, 00000013.00000003.1400655138.000001928F07A000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	firefox.exe, 00000013.00000003.1474290691.00000192FFCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478312007.00000192FFCB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1467344352.00000192FFCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1460406177.00000192FFCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2519126097.00000178387CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2515423140.0000027F083E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2523522183.0000022278303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.19.dr	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://www.olx.pl/	firefox.exe, 00000013.00000003.1471736611.000001928F0BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1400655138.000001928F0BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1479370472.000001928F0BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1444010721.000001928F0BF000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/bucketConfig/properties/starthttp://mozilla.org/#/properties/bucketC	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4	firefox.exe, 00000013.00000003.1333573204.000001928F427000.00000004.00000800.00020000.00000000.sdmp	false	high
https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2	firefox.exe, 00000013.00000003.1333573204.000001928F427000.00000004.00000800.00020000.00000000.sdmp	false	high
https://watch.sling.com/	firefox.exe, 00000013.00000003.1485157125.00000192874B0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/isEnrollmentPausedA	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/google/closure-compiler/issues/3177	firefox.exe, 00000013.00000003.1330565608.000001928F14F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1412511858.000001928F148000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestShouldShowOnboardingDialog	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/appId	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
https://www.google.com/complete/	firefox.exe, 00000013.00000003.1491698216.000001928F233000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1464754667.000001928F220000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarningElem	firefox.exe, 00000013.00000003.1333573204.000001928F43A000.00000004.00000800.00020000.00000000.sdmp	false	high
https://webextensions.settings.services.mozilla.com/v1	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts	firefox.exe, 00000013.00000003.1412511858.000001928F131000.00000004.00000800.00020000.00000000.sdmp	false	high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	firefox.exe, 00000013.00000003.1474290691.00000192FFCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478312007.00000192FFCB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1467344352.00000192FFCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1460406177.00000192FFCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2519126097.00000178387CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2515423140.0000027F083E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2523522183.0000022278303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.19.dr	false	high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	firefox.exe, 00000013.00000003.1474290691.00000192FFCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478312007.00000192FFCB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1467344352.00000192FFCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1460406177.00000192FFCAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000015.00000002.2519126097.00000178387CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2515423140.0000027F083E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2523522183.0000022278303000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.19.dr	false	high
https://addons.mozilla.org/%LOCALE%/firefox/	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
http://json-schema.org/draft-06/schema#	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/branches/anyOf/1/items	firefox.exe, 00000013.00000003.1340656195.0000019287E93000.00000004.00000800.00020000.00000000.sdmp	false	high
http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled	firefox.exe, 00000013.00000003.1340552676.0000019287E97000.00000004.00000800.00020000.00000000.sdmp	false	high
http://developer.mozilla.org/en/docs/DOM:element.removeEventListener	firefox.exe, 00000013.00000003.1333573204.000001928F430000.00000004.00000800.00020000.00000000.sdmp	false	high
https://spocs.getpocket.com	firefox.exe, 00000013.00000003.1398833930.000001928FC79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1492874315.000001928A374000.00000004.00000800.00020000.00000000.sdmp	false	high
https://developers.google.com/safe-browsing/v4/advisory	firefox.exe, 00000015.00000002.2518391658.00000178385A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2521356021.0000027F08450000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.2523137383.0000022278240000.00000002.10000000.00040000.00000000.sdmp	false	high
http://json-schema.org/draft-07/schema#Array	firefox.exe, 00000013.00000003.1340773012.0000019287E77000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
151.101.193.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
142.250.181.78	youtube.com	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562858
Start date and time:	2024-11-26 08:02:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@34/34@75/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 40 Number of non-executed functions: 312
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.27.142.243, 52.32.237.164, 34.209.229.249, 172.217.17.42, 172.217.17.78, 23.200.87.12, 23.200.86.251
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, otelrules.azureedge.net, slscr.update.microsoft.com, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, time.windows.com, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:03:14	API Interceptor	1x Sleep call for process: firefox.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.193.91	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.160.144.191	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
twitter.com	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.129
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.193

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.116.198.130
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	Finish_Agreement_DocuSign.pdf	Get hash	malicious	Unknown	Browse	151.101.66.137
	http://www.btc1yby.blogspot.rs/	Get hash	malicious	GRQ Scam	Browse	151.101.66.208
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	kkEzK284oT.exe	Get hash	malicious	HTMLPhisher	Browse	151.101.2.132
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.1.91
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
ATGS-MMD-ASUS	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91 35.244.181.201 34.149.100.209 34.160.144.191 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ad08eff1-d069-4d3e-ad86-61be7f6cb8c0.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.174084051989748
Encrypted:	false
SSDEEP:	192:YwCVMvMX02pcbhbVbTbfbRbObtbyEl7nEr9JA6unSrDtTkd/S9V:YXVF1cNhnzFSJkr41nSrDhkd/cV
MD5:	58AAB61E81C5BBD78D05E9F1864F1ED4
SHA1:	63C443B995D2DC7B0042960D9BE2C5228F1B06F8
SHA-256:	74693507E721079321036958DA6C23F679836ECBDFF8FC2168F629AC2698C753
SHA-512:	80F411A0C8C269EBEE88242AE9275DE746D1E00C7797D345B37C3C8DAD4A371422491C765893A32C2C592AC7A8879BBD71A279D752FD9A7BF7584D5548B775A5
Malicious:	false
Preview:	{"type":"uninstall","id":"ad08eff1-d069-4d3e-ad86-61be7f6cb8c0","creationDate":"2024-11-26T08:54:16.153Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ad08eff1-d069-4d3e-ad86-61be7f6cb8c0.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	7957
Entropy (8bit):	5.174084051989748
Encrypted:	false
SSDEEP:	192:YwCVMvMX02pcbhbVbTbfbRbObtbyEl7nEr9JA6unSrDtTkd/S9V:YXVF1cNhnzFSJkr41nSrDhkd/cV
MD5:	58AAB61E81C5BBD78D05E9F1864F1ED4
SHA1:	63C443B995D2DC7B0042960D9BE2C5228F1B06F8
SHA-256:	74693507E721079321036958DA6C23F679836ECBDFF8FC2168F629AC2698C753
SHA-512:	80F411A0C8C269EBEE88242AE9275DE746D1E00C7797D345B37C3C8DAD4A371422491C765893A32C2C592AC7A8879BBD71A279D752FD9A7BF7584D5548B775A5
Malicious:	false
Preview:	{"type":"uninstall","id":"ad08eff1-d069-4d3e-ad86-61be7f6cb8c0","creationDate":"2024-11-26T08:54:16.153Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a12d1cd1-4ce7-42ab-ae29-5c019c43f6ba","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.941952179680657
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLS/vq18P:8S+Oc+UAOdwiOdKeQjDLsq18P
MD5:	4CD9D24722B61B707A6501408D48D734
SHA1:	3ED9A795D2CB0BD5D1BCD04C3575CD52EC95A4BF
SHA-256:	01B67351316D2270DFD7CF3E08EA1EC61492E3523CC2333F404A15892CEE4200
SHA-512:	676F97BDA7E0CD2AD2B1C86A608A329BF0DCCF9343741194E060361BB80A3AC3894AF965B8A772120EBF9A1994FCAC9A67E3D240CA907C6C28BFB3D2352D765C
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4514
Entropy (8bit):	4.941952179680657
Encrypted:	false
SSDEEP:	96:8S+OcaPUFqOdwNIOdvtkeQjvYZUBLS/vq18P:8S+Oc+UAOdwiOdKeQjDLsq18P
MD5:	4CD9D24722B61B707A6501408D48D734
SHA1:	3ED9A795D2CB0BD5D1BCD04C3575CD52EC95A4BF
SHA-256:	01B67351316D2270DFD7CF3E08EA1EC61492E3523CC2333F404A15892CEE4200
SHA-512:	676F97BDA7E0CD2AD2B1C86A608A329BF0DCCF9343741194E060361BB80A3AC3894AF965B8A772120EBF9A1994FCAC9A67E3D240CA907C6C28BFB3D2352D765C
Malicious:	false
Preview:	{"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"d14ccc2f-033b-49c7-a2e0-d7a247e302f1","experimentType":"rollout","source":"rs-loader","userFacingName":"CSV Import (Release Rollout)","userFacingDescription":"This rollout enables users to import logins from a CSV file from the about:logins page.","lastSeen":"2023-10-05T07:41:33.819Z","featureIds":["cm-csv-import"],"prefs":[{"name":"signon.management.page.fileImport.enabled","branch":"default","featureId":"cm-csv-import","variable":"csvImport","originalValue":false}],"isRollout":true},"mixed-content-level-2-roll-out-release-113":{"slug":"mixed-content-level-2-roll-out-release-113","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 23432 bytes
Category:	dropped
Size (bytes):	5318
Entropy (8bit):	6.62067557672702
Encrypted:	false
SSDEEP:	96:V2YbKsKNU2xWrp327tGmD4wBON6h6cHaJVJuZMd0JGkkrwLUe:VTx2x2t0FDJ4NpwZMd0EJwLv
MD5:	A0DD0256A122A64D1C1A98C36F89F368
SHA1:	B82AF63B4A4261477DA4CD2AC34B4DD7BB5EBEA0
SHA-256:	EE9278644D02739D27E4FD9D8006AD49D9A0D80AD251BA2C3F144A408F65A9F3
SHA-512:	ED3AE377C1AD9E6694307CC60554665058541DD2BB80FEB1832616ACE39623E842DB3CD9153771ABD1874703DCBF4B81CABE050E2F2553D723A96A163AA41911
Malicious:	false
Preview:	mozLz40..[....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 4
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905141882491872
Encrypted:	false
SSDEEP:	24:DLSvwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:DKwae+QtMImelekKDa5
MD5:	8736A542C5564A922C47B19D9CC5E0F2
SHA1:	CE9D58967DA9B5356D6C1D8A482F9CE74DA9097A
SHA-256:	97CE5D8AFBB0AA610219C4FAC3927E32C91BFFD9FD971AF68C718E7B27E40077
SHA-512:	99777325893DC7A95FD49B2DA18D32D65F97CC7A8E482D78EDC32F63245457FA5A52750800C074D552D20B6A215604161FDC88763D93C76A8703470C3064196B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.186376962556299
Encrypted:	false
SSDEEP:	768:NI40vfXXQ4z6X4n44a4T4h4b4rhEhvj4Lw4m4x44g:NJhWvx
MD5:	C2A8F76D683C9F86054CA7775732A180
SHA1:	FB1F8B84825D53E58290E53D65F8A73C5794E281
SHA-256:	4744AACB03666A594CF1BB6E6491105F0AB600259D8E0BA483164F2AE9C90221
SHA-512:	F804B8CF7277D2F6E8AA8BDFFF099ECCEC00CE59FEB3F3EB47D5E4B36FBB2C23466233C966F53483F0DF365E13AB9BB9256B685645FC366A5A24C72907E54025
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{9f54712e-79e2-445b-974a-266a0185f206}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07335892763187633
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkiv:DLhesh7Owd4+jiv
MD5:	65962678B27000C07D35A55F7E211CC4
SHA1:	EC6FF49B00F787E404959AB43792B9E34738AFAC
SHA-256:	2B265A3A0D0C165F3030460760639A8972B5B8B919D75D803FEF976C7185CC68
SHA-512:	F0833AF740DE71FEB93B3590A0C5C91CD2460F5F11EA523BF750FA04ED851E3AE581BFCD346863861775F2FAF288D21E09ED5B9A8B5CEB41648A9DEECF5CE34E
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.035577876577226504
Encrypted:	false
SSDEEP:	3:GtlstFj5EA//f/Y/tlstFj5EA//f1tJ89//alEl:GtWtLf/Y/tWtLf1D89XuM
MD5:	440CE812AD16BB011F04848AF1A38201
SHA1:	9B25E2D8383697E600582EEEF6C8855334553F03
SHA-256:	40AE8828D57485B666DB19D538189EA0A1FAFD5F185A4B7F90E5B5F4ED6D2A28
SHA-512:	ADC68CACCA82D0F96FD0690CB9365CA83C433B500FAD40F7C99447460FAB21915EF438F563DB3D290FA1B526A93FB48CD184EAF4567EC21589B7A32422C9AD7B
Malicious:	false
Preview:	..-.....................t......2.#'.B......0ggh...-.....................t......2.#'.B......0ggh.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	32824
Entropy (8bit):	0.03982570649608014
Encrypted:	false
SSDEEP:	3:Ol13d+uOtIUV42Dl8rEXsxdwhml8XW3R2:KWuOdDl8dMhm93w
MD5:	BA117027EB662B760611D8ABF3AA9874
SHA1:	D1C602F6CEA5B8E381B90779CAF99A766BE24CE7
SHA-256:	4EFB436AA7CD2FB3F8AA69B76FEC4680885C6A97F60295411EBC1233458A5461
SHA-512:	1E838AB4FF3D5E32430C7ADEDD40752BAAC68DFC5232C17B2C6EE170D31BC11DCAA7AED10F213A7F65FD70E8D79FFBD122C9230814CA66A8B1D5B232681634E5
Malicious:	false
Preview:	7....-...........#'.B.....'.[W...........#'.B......t2...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.47598844036321
Encrypted:	false
SSDEEP:	192:lXnSRkyYbBp6JqUCaXG6V9DLNSViQ5RHNBw8dznSl:Qe+qUVLVSggPwg0
MD5:	85703D4D20B27BFAE825301ABE0E9692
SHA1:	3D7311C22C018E6419B14CC50D7393FE73A30C0E
SHA-256:	222CF9CF9BE60B04D1D639193561F57651FE07F01E711495CB01F3DA3F04A9C3
SHA-512:	9F00E21895B719A89C09D7067902AA4BD3D0A370A8383AAE0F0CFF10F01F558DE0AAEB5E745D1B96B339764E581D12DBCFCBDDCC6AF423E088AF167F3D2F8F05
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732611226);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732611226);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732611226);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173261

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	13214
Entropy (8bit):	5.47598844036321
Encrypted:	false
SSDEEP:	192:lXnSRkyYbBp6JqUCaXG6V9DLNSViQ5RHNBw8dznSl:Qe+qUVLVSggPwg0
MD5:	85703D4D20B27BFAE825301ABE0E9692
SHA1:	3D7311C22C018E6419B14CC50D7393FE73A30C0E
SHA-256:	222CF9CF9BE60B04D1D639193561F57651FE07F01E711495CB01F3DA3F04A9C3
SHA-512:	9F00E21895B719A89C09D7067902AA4BD3D0A370A8383AAE0F0CFF10F01F558DE0AAEB5E745D1B96B339764E581D12DBCFCBDDCC6AF423E088AF167F3D2F8F05
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1732611226);..user_pref("app.update.lastUpdateTime.background-update-timer", 1732611226);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1732611226);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173261

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	3:lSGBl/l/zl9l/AltllPltlnKollzvulJOlzALRWemFxu7TuRjBFbrl58lcV+wgn8:ltBl/lqN1K4BEJYqWvLue3FMOrMZ0l
MD5:	60C09456D6362C6FBED48C69AA342C3C
SHA1:	58B6E22DAA48C75958B429F662DEC1C011AE74D3
SHA-256:	FE1A432A2CD096B7EEA870D46D07F5197E34B4D10666E6E1C357FAA3F2FE2389
SHA-512:	936DBC887276EF07732783B50EAFE450A8598B0492B8F6C838B337EF3E8A6EA595E7C7A2FA4B3E881887FAAE2D207B953A4C65ED8C964D93118E00D3E03882BD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.336016597661205
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRgLXnIgn/pnxQwRlscT5sKhi/C3eHVVPNZTDmamhuj3pOOcUb2mi7:GUpOxb5nRfIC3etZT645edHd
MD5:	480AA865390A2E4980769E85A601DC4C
SHA1:	7DFBC6F39E12742D506859329AF365D6909FCB86
SHA-256:	0E721660D75955217ABBA563A2D673D5AA70047E45F7D78394C16B42DBC60BA9
SHA-512:	7B0ABC25AD1D19CEFFF2C2A6A58F9F92C06DDB1F92C4EAB6C6F8B39514643BDD5A5DB91161A5AC575F260754473F2E1946CA82C0FC1EB6CC56A1040676CE3F96
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{50cacb8a-5a53-47e2-917b-c86252c8479a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732611229974,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..Q19586...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....199846,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.336016597661205
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRgLXnIgn/pnxQwRlscT5sKhi/C3eHVVPNZTDmamhuj3pOOcUb2mi7:GUpOxb5nRfIC3etZT645edHd
MD5:	480AA865390A2E4980769E85A601DC4C
SHA1:	7DFBC6F39E12742D506859329AF365D6909FCB86
SHA-256:	0E721660D75955217ABBA563A2D673D5AA70047E45F7D78394C16B42DBC60BA9
SHA-512:	7B0ABC25AD1D19CEFFF2C2A6A58F9F92C06DDB1F92C4EAB6C6F8B39514643BDD5A5DB91161A5AC575F260754473F2E1946CA82C0FC1EB6CC56A1040676CE3F96
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{50cacb8a-5a53-47e2-917b-c86252c8479a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732611229974,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..Q19586...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....199846,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1567
Entropy (8bit):	6.336016597661205
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSRgLXnIgn/pnxQwRlscT5sKhi/C3eHVVPNZTDmamhuj3pOOcUb2mi7:GUpOxb5nRfIC3etZT645edHd
MD5:	480AA865390A2E4980769E85A601DC4C
SHA1:	7DFBC6F39E12742D506859329AF365D6909FCB86
SHA-256:	0E721660D75955217ABBA563A2D673D5AA70047E45F7D78394C16B42DBC60BA9
SHA-512:	7B0ABC25AD1D19CEFFF2C2A6A58F9F92C06DDB1F92C4EAB6C6F8B39514643BDD5A5DB91161A5AC575F260754473F2E1946CA82C0FC1EB6CC56A1040676CE3F96
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{50cacb8a-5a53-47e2-917b-c86252c8479a}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1732611229974,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758...dth":116....eight":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...4b3ac14b-43e5-4896-86e8-9e7d502ce1b5","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..Q19586...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...Abbc25ad08ccc1b2d785bc1812d8faa4d50f401055c8d3ce6d11bb3b0958223be","path":"/","na..a"taarI\|.Recure...,`.Donly..eexpiry....199846,"originA...."

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.037125638535588
Encrypted:	false
SSDEEP:	48:YrSAYBG3eUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfA6:ycB8+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	14E62B3F0AE50919C5D3D0B5028096B2
SHA1:	65CF7250FDD3FBCAC3FA1663720157025A0F9F40
SHA-256:	48488EE13A6811728BED444F1D9DD4927A2F5573FC480B0B93DF0A96E48CD8D9
SHA-512:	63D58BF0D304599D9A930785AA9398BF9F7D14C2C6A0D8397948730515FFC9D2F7B2E97CF65FB451B917006D7A436E7E40D8C22BEF5E9CF74AD2E3EC4440D352
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-26T08:53:29.941Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.037125638535588
Encrypted:	false
SSDEEP:	48:YrSAYBG3eUQZpExB1+anO8e6WCVhhOjVkWAYzzc8rYMsku7f86SLAVL7J5FtsfA6:ycB8+TEr5ZwoIhzzcHvbw6Kkdrc2Rn27
MD5:	14E62B3F0AE50919C5D3D0B5028096B2
SHA1:	65CF7250FDD3FBCAC3FA1663720157025A0F9F40
SHA-256:	48488EE13A6811728BED444F1D9DD4927A2F5573FC480B0B93DF0A96E48CD8D9
SHA-512:	63D58BF0D304599D9A930785AA9398BF9F7D14C2C6A0D8397948730515FFC9D2F7B2E97CF65FB451B917006D7A436E7E40D8C22BEF5E9CF74AD2E3EC4440D352
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-11-26T08:53:29.941Z","profileAgeCreated":1696491685971,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.592591942214099
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	922'624 bytes
MD5:	0f6832047e7bced4a803541e7c53fd0f
SHA1:	d384c8fd05f725f0557b74d471a07658e177d40d
SHA256:	d04d6399b3c5ae64db783bee5a7ff7e996c157c149ebb8126a4c3b8777411900
SHA512:	e28f93ffd6c0f525c764214093d01100252e0d72949e6c34844921000f24226c0bca5726110b6e95f09cb21bfad87353d8afe1e8090e39f7941855dc36d56de3
SSDEEP:	12288:3qDEvFo+yo4DdbbMWu/jrQu4M9lBAlKhQcDGB3cuBNGE6iOrpfe4JdaDgaDTr:3qDEvCTbMWu7rQYlBQcBiT6rprG8aXr
TLSH:	3C159E0273D1C062FF9B92334B5AF6515BBC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67456D71 [Tue Nov 26 06:40:49 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F88646F0A83h
jmp 00007F88646F038Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F88646F056Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F88646F053Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F88646F312Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F88646F3178h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F88646F3161h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xa8a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xdf000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xa8a0	0xaa00	853efe1cf406163636e4ae39709cc0cc	False	0.3706112132352941	data	5.652757159673902	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xdf000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x1b68	data			1.0015678449258838
RT_GROUP_ICON	0xde320	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xde398	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xde3ac	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xde3c0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xde3d4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xde4b0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 08:03:13.724463940 CET	49708	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:13.724510908 CET	443	49708	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:13.724693060 CET	49708	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:13.729595900 CET	49708	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:13.729609966 CET	443	49708	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:13.730007887 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:13.730046988 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:13.730087042 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:13.730099916 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:13.730185032 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:13.731337070 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:13.731354952 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:13.731429100 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:13.737658978 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:13.737670898 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:13.737951994 CET	49712	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:13.857815027 CET	80	49712	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:13.868148088 CET	49712	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:13.884391069 CET	49712	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:13.987608910 CET	49713	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:13.987649918 CET	443	49713	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:13.987905025 CET	49713	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:13.988143921 CET	49713	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:13.988154888 CET	443	49713	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:14.004313946 CET	80	49712	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:14.031861067 CET	49714	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:14.031905890 CET	443	49714	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:14.032150030 CET	49714	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:14.033524990 CET	49714	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:14.033545017 CET	443	49714	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:14.471517086 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:14.471563101 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:14.478360891 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:14.479609013 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:14.479621887 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:14.638511896 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:14.638550997 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 08:03:14.638644934 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:14.638787031 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:14.638798952 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 08:03:14.953217030 CET	80	49712	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:14.956290007 CET	49712	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:14.992470026 CET	443	49708	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:14.992561102 CET	49708	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:15.000855923 CET	49708	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:15.000869989 CET	443	49708	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:15.000967979 CET	49708	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:15.001121998 CET	443	49708	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:15.001183033 CET	49708	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:15.077111959 CET	80	49712	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:15.077214003 CET	49712	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:15.255965948 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:15.256148100 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:15.299469948 CET	443	49713	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:15.299551964 CET	49713	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:15.302746058 CET	49713	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:15.302757025 CET	443	49713	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:15.303252935 CET	443	49713	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:15.305581093 CET	49713	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:15.305581093 CET	49713	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:15.305777073 CET	443	49713	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:15.305830956 CET	49713	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:15.348655939 CET	443	49714	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:15.350275993 CET	49714	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:15.364908934 CET	49714	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:15.364928007 CET	443	49714	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:15.364969015 CET	49714	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:15.365154982 CET	443	49714	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:15.365886927 CET	49714	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:15.376116037 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:15.376245022 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:15.388154984 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:15.388159990 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:15.388159990 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:15.388298035 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:15.472284079 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:15.472362995 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:15.472981930 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:15.473366022 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:15.473800898 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:15.474510908 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:15.476636887 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:15.476650000 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:15.476763964 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:15.476866961 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:15.476886034 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:15.476967096 CET	443	49709	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:15.477945089 CET	49709	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:15.480964899 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:15.480979919 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:15.481030941 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:15.481148958 CET	443	49710	142.250.181.78	192.168.2.7
Nov 26, 2024 08:03:15.481295109 CET	49710	443	192.168.2.7	142.250.181.78
Nov 26, 2024 08:03:15.508265972 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:15.508276939 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:15.702687025 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:15.702701092 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:15.703808069 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:15.711383104 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:15.711395025 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:15.711446047 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:15.711575031 CET	443	49715	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:15.719407082 CET	49715	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:15.807085037 CET	49720	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:15.807140112 CET	443	49720	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:15.808330059 CET	49720	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:15.808607101 CET	49720	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:15.808639050 CET	443	49720	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:15.853526115 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 08:03:15.859338999 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 08:03:15.865308046 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:15.865335941 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:15.868371964 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:15.868381977 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 08:03:15.868659973 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 08:03:15.870426893 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:15.870496988 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:15.870584011 CET	443	49716	34.160.144.191	192.168.2.7
Nov 26, 2024 08:03:15.879036903 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:15.879055023 CET	49716	443	192.168.2.7	34.160.144.191
Nov 26, 2024 08:03:15.879970074 CET	49721	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:15.880023003 CET	443	49721	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:15.881880045 CET	49721	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:15.883228064 CET	49721	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:15.883248091 CET	443	49721	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:16.032275915 CET	49722	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:16.032320976 CET	443	49722	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:16.033468962 CET	49722	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:16.034817934 CET	49722	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:16.034838915 CET	443	49722	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:16.238632917 CET	49723	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:16.238661051 CET	443	49723	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:16.245130062 CET	49723	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:16.246721983 CET	49723	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:16.246742010 CET	443	49723	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:16.386437893 CET	49730	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:16.386476040 CET	443	49730	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:16.386653900 CET	49730	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:16.388048887 CET	49730	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:16.388062000 CET	443	49730	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:16.519843102 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:16.566932917 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:16.577155113 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:16.630500078 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:16.927273989 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:16.948466063 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:17.047276020 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:17.066200018 CET	443	49720	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:17.069675922 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:17.071419001 CET	49720	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:17.073903084 CET	49720	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:17.073915005 CET	443	49720	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:17.074172974 CET	443	49720	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:17.075865984 CET	49720	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:17.075923920 CET	49720	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:17.076025009 CET	49720	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:17.076030970 CET	443	49720	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:17.076312065 CET	49720	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:17.099324942 CET	443	49721	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:17.100642920 CET	49721	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:17.104192019 CET	49721	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:17.104207039 CET	443	49721	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:17.104259968 CET	49721	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:17.104361057 CET	443	49721	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:17.107629061 CET	49721	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:17.261254072 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:17.272505045 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:17.297066927 CET	443	49722	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:17.297136068 CET	49722	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:17.301928043 CET	49722	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:17.301943064 CET	443	49722	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:17.302014112 CET	49722	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:17.302082062 CET	443	49722	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:17.302170038 CET	49722	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:17.304565907 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:17.320169926 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:17.462696075 CET	443	49723	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:17.462780952 CET	49723	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:17.496041059 CET	49723	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:17.496072054 CET	443	49723	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:17.496146917 CET	49723	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:17.496325016 CET	443	49723	34.117.188.166	192.168.2.7
Nov 26, 2024 08:03:17.496402025 CET	49723	443	192.168.2.7	34.117.188.166
Nov 26, 2024 08:03:17.649570942 CET	443	49730	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:17.649650097 CET	49730	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:17.654414892 CET	49730	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:17.654422998 CET	443	49730	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:17.654499054 CET	49730	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:17.654664040 CET	443	49730	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:17.654714108 CET	49730	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:18.955640078 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:18.957685947 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:18.984713078 CET	49737	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:18.984756947 CET	443	49737	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:18.986012936 CET	49737	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:18.987498045 CET	49737	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:18.987512112 CET	443	49737	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:18.988863945 CET	49738	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:18.988920927 CET	443	49738	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:18.989052057 CET	49738	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:18.989132881 CET	49738	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:18.989151955 CET	443	49738	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:19.075505018 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:19.077689886 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:19.119733095 CET	49739	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:19.119780064 CET	443	49739	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:19.120558977 CET	49739	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:19.122103930 CET	49739	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:19.122116089 CET	443	49739	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:19.283150911 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:19.289817095 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:19.290119886 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:19.290914059 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:19.340164900 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:19.410480022 CET	80	49718	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:19.411780119 CET	49718	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:19.514452934 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:19.634418964 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:19.634584904 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:19.634804010 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:19.754776001 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:20.244716883 CET	443	49738	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:20.244767904 CET	443	49737	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:20.244874001 CET	49737	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:20.244906902 CET	49738	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:20.379280090 CET	443	49739	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:20.379400969 CET	49739	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:20.765780926 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:20.806727886 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:20.963494062 CET	49738	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:20.963527918 CET	443	49738	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:20.963915110 CET	443	49738	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:20.969396114 CET	49738	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:20.969461918 CET	49738	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:20.969616890 CET	443	49738	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:20.969855070 CET	49739	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:20.969876051 CET	443	49739	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:20.969974041 CET	49739	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:20.970149040 CET	443	49739	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:20.970176935 CET	49738	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:20.970387936 CET	49739	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:20.971779108 CET	49737	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:20.971812963 CET	443	49737	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:20.971837044 CET	49737	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:20.972043991 CET	443	49737	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:20.972098112 CET	49737	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:25.457309008 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:25.473480940 CET	49758	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.473510027 CET	443	49758	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:25.483905077 CET	49758	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.485493898 CET	49758	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.485507965 CET	443	49758	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:25.491786957 CET	49759	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:25.491818905 CET	443	49759	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:25.492221117 CET	49759	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:25.493565083 CET	49759	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:25.493591070 CET	443	49759	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:25.494260073 CET	49760	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:25.494303942 CET	443	49760	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:25.494430065 CET	49760	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:25.494544983 CET	49760	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:25.494556904 CET	443	49760	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:25.577236891 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:25.618552923 CET	49761	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.618592024 CET	443	49761	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:25.618664026 CET	49761	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.618721962 CET	49762	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.618756056 CET	443	49762	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:25.618815899 CET	49763	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.618818045 CET	49762	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.618824005 CET	443	49763	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:25.618921041 CET	49763	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.618952036 CET	49762	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.618966103 CET	443	49762	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:25.619049072 CET	49761	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.619060040 CET	443	49761	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:25.619138956 CET	49763	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:25.619154930 CET	443	49763	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:25.781128883 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:25.827414989 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:26.750930071 CET	443	49760	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:26.751091957 CET	443	49759	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:26.754302025 CET	49760	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:26.754436016 CET	49759	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:26.871926069 CET	443	49758	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:26.871942043 CET	443	49758	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:26.872013092 CET	49758	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.111972094 CET	443	49763	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.112221003 CET	443	49761	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.113043070 CET	443	49762	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.117664099 CET	49763	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.117664099 CET	49761	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.118036032 CET	49762	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.399245024 CET	49760	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:27.399272919 CET	443	49760	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:27.399451017 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:27.399687052 CET	443	49760	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:27.405498028 CET	49763	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.405523062 CET	443	49763	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.405806065 CET	443	49763	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.407466888 CET	49762	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.407484055 CET	443	49762	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.407809019 CET	443	49762	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.409660101 CET	49761	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.409682035 CET	443	49761	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.409941912 CET	443	49761	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.416501045 CET	49758	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.416532993 CET	443	49758	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.416758060 CET	443	49758	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.416788101 CET	49758	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.416796923 CET	443	49758	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.416893959 CET	49760	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:27.416968107 CET	49760	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:27.417042017 CET	49763	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.417150021 CET	443	49760	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:27.417203903 CET	443	49763	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.417251110 CET	49763	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.417257071 CET	443	49763	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.417325020 CET	49759	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:27.417341948 CET	443	49759	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:27.417382956 CET	49762	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.417500973 CET	49762	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.417579889 CET	443	49762	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.417632103 CET	443	49759	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:27.418123007 CET	49760	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:27.418138027 CET	49759	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:27.418165922 CET	49762	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.455219030 CET	49761	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.519419909 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:27.623347044 CET	443	49763	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.623675108 CET	49763	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.635334969 CET	443	49758	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:27.635495901 CET	49758	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:27.723038912 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:27.771775961 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:28.023152113 CET	49759	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:28.023190022 CET	443	49759	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:28.107985020 CET	49761	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:28.108098984 CET	49761	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:28.114770889 CET	443	49761	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:28.114844084 CET	49761	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:28.382405043 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:28.454705954 CET	49773	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:28.454824924 CET	443	49773	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:28.455940962 CET	49773	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:28.456111908 CET	49773	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:28.456186056 CET	443	49773	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:28.498169899 CET	49774	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:28.498209953 CET	443	49774	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:28.498955011 CET	49774	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:28.500386000 CET	49774	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:28.500396967 CET	443	49774	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:28.502285004 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:28.706291914 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:28.759279013 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:29.403645992 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:29.523664951 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:29.721967936 CET	443	49773	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:29.722121000 CET	49773	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:29.727615118 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:29.757754087 CET	443	49774	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:29.757822037 CET	49774	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:29.777996063 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:30.290643930 CET	49773	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.290695906 CET	443	49773	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:30.291002989 CET	443	49773	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:30.294989109 CET	49773	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.295111895 CET	49773	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.295181036 CET	443	49773	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:30.295438051 CET	49774	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.295470953 CET	443	49774	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:30.295526028 CET	49774	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.295859098 CET	443	49774	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:30.297017097 CET	49773	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.297054052 CET	49774	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.400912046 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:30.404968977 CET	49780	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.405030966 CET	443	49780	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:30.405395985 CET	49780	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.406903982 CET	49780	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:30.406930923 CET	443	49780	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:30.520853996 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:30.725106001 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:30.738792896 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:30.766422033 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:30.858889103 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:31.062482119 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:31.113195896 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:31.895173073 CET	443	49780	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:31.895256996 CET	49780	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:31.900506973 CET	49780	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:31.900532961 CET	443	49780	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:31.900597095 CET	49780	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:31.900729895 CET	443	49780	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:31.901875019 CET	49780	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:31.903326035 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:31.905489922 CET	49781	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:31.905531883 CET	443	49781	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:31.905827999 CET	49781	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:31.907192945 CET	49781	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:31.907207012 CET	443	49781	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:32.023536921 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:32.227256060 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:32.230372906 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:32.269881010 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:32.350389957 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:32.630093098 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:32.671082020 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:33.200598955 CET	443	49781	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:33.200707912 CET	49781	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:33.205420017 CET	49781	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:33.205440998 CET	443	49781	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:33.205517054 CET	49781	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:33.205605984 CET	443	49781	34.120.208.123	192.168.2.7
Nov 26, 2024 08:03:33.206722975 CET	49781	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:03:33.208465099 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:33.328397989 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:33.534476042 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:33.537708044 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:33.589308023 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:33.658962965 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:33.909723997 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:33.959216118 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:38.533781052 CET	49797	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:38.533833981 CET	443	49797	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:38.534281969 CET	49797	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:38.536098003 CET	49797	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:38.536112070 CET	443	49797	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:39.793040991 CET	443	49797	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:39.793118000 CET	49797	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:39.797502995 CET	49797	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:39.797512054 CET	443	49797	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:39.797599077 CET	49797	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:39.797638893 CET	443	49797	34.107.243.93	192.168.2.7
Nov 26, 2024 08:03:39.797765970 CET	49797	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:03:39.800312996 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:39.920214891 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:40.124917984 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:40.127991915 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:40.177467108 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:40.247893095 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:40.451941013 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:40.493897915 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:41.596030951 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:41.596086979 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:41.596394062 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:41.596509933 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:41.596519947 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:41.615072966 CET	49808	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:41.615130901 CET	443	49808	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:41.615962982 CET	49808	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:41.617376089 CET	49808	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:41.617413044 CET	443	49808	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:41.713551998 CET	49809	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:41.713588953 CET	443	49809	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:41.714359999 CET	49809	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:41.714531898 CET	49809	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:41.714549065 CET	443	49809	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:41.761357069 CET	49810	443	192.168.2.7	35.201.103.21
Nov 26, 2024 08:03:41.761400938 CET	443	49810	35.201.103.21	192.168.2.7
Nov 26, 2024 08:03:41.761671066 CET	49810	443	192.168.2.7	35.201.103.21
Nov 26, 2024 08:03:41.763201952 CET	49810	443	192.168.2.7	35.201.103.21
Nov 26, 2024 08:03:41.763220072 CET	443	49810	35.201.103.21	192.168.2.7
Nov 26, 2024 08:03:41.816968918 CET	49811	443	192.168.2.7	151.101.193.91
Nov 26, 2024 08:03:41.817001104 CET	443	49811	151.101.193.91	192.168.2.7
Nov 26, 2024 08:03:41.817080021 CET	49811	443	192.168.2.7	151.101.193.91
Nov 26, 2024 08:03:41.817262888 CET	49811	443	192.168.2.7	151.101.193.91
Nov 26, 2024 08:03:41.817280054 CET	443	49811	151.101.193.91	192.168.2.7
Nov 26, 2024 08:03:42.827905893 CET	443	49808	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:42.828007936 CET	49808	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:42.832170010 CET	49808	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:42.832190990 CET	443	49808	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:42.832273960 CET	49808	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:42.832385063 CET	443	49808	35.190.72.216	192.168.2.7
Nov 26, 2024 08:03:42.832473040 CET	49808	443	192.168.2.7	35.190.72.216
Nov 26, 2024 08:03:42.834973097 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:42.852360964 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:42.852458954 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:42.855318069 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:42.855334997 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:42.855565071 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:42.857575893 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:42.857649088 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:42.857705116 CET	443	49807	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:42.858781099 CET	49807	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:42.954860926 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:43.018091917 CET	443	49809	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.018174887 CET	49809	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.021178961 CET	49809	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.021189928 CET	443	49809	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.021425009 CET	443	49809	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.023345947 CET	49809	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.023426056 CET	49809	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.023488998 CET	443	49809	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.023996115 CET	49809	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.025054932 CET	443	49810	35.201.103.21	192.168.2.7
Nov 26, 2024 08:03:43.025279999 CET	49810	443	192.168.2.7	35.201.103.21
Nov 26, 2024 08:03:43.028820992 CET	49810	443	192.168.2.7	35.201.103.21
Nov 26, 2024 08:03:43.028829098 CET	443	49810	35.201.103.21	192.168.2.7
Nov 26, 2024 08:03:43.028924942 CET	49810	443	192.168.2.7	35.201.103.21
Nov 26, 2024 08:03:43.029031038 CET	443	49810	35.201.103.21	192.168.2.7
Nov 26, 2024 08:03:43.029110909 CET	49810	443	192.168.2.7	35.201.103.21
Nov 26, 2024 08:03:43.032752037 CET	49813	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:43.032818079 CET	443	49813	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:43.034558058 CET	49813	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:43.034699917 CET	49813	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:43.034734964 CET	443	49813	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:43.083039045 CET	443	49811	151.101.193.91	192.168.2.7
Nov 26, 2024 08:03:43.083164930 CET	49811	443	192.168.2.7	151.101.193.91
Nov 26, 2024 08:03:43.086194038 CET	49811	443	192.168.2.7	151.101.193.91
Nov 26, 2024 08:03:43.086208105 CET	443	49811	151.101.193.91	192.168.2.7
Nov 26, 2024 08:03:43.086431980 CET	443	49811	151.101.193.91	192.168.2.7
Nov 26, 2024 08:03:43.088176012 CET	49811	443	192.168.2.7	151.101.193.91
Nov 26, 2024 08:03:43.088263988 CET	49811	443	192.168.2.7	151.101.193.91
Nov 26, 2024 08:03:43.088289976 CET	443	49811	151.101.193.91	192.168.2.7
Nov 26, 2024 08:03:43.093775988 CET	49811	443	192.168.2.7	151.101.193.91
Nov 26, 2024 08:03:43.093775988 CET	49811	443	192.168.2.7	151.101.193.91
Nov 26, 2024 08:03:43.096556902 CET	49814	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.096575022 CET	443	49814	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.096932888 CET	49814	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.097018003 CET	49814	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.097027063 CET	443	49814	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.098861933 CET	49815	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.098890066 CET	443	49815	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.099370956 CET	49815	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.099466085 CET	49815	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.099478960 CET	443	49815	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.100837946 CET	49816	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.100894928 CET	443	49816	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.101092100 CET	49816	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.101192951 CET	49816	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:43.101216078 CET	443	49816	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:43.160872936 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:43.163461924 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:43.201632977 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:43.283360958 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:43.487116098 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:43.533726931 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:44.291205883 CET	443	49813	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:44.291279078 CET	49813	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:44.294315100 CET	49813	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:44.294326067 CET	443	49813	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:44.294539928 CET	443	49813	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:44.296876907 CET	49813	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:44.296979904 CET	49813	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:44.297174931 CET	443	49813	34.149.100.209	192.168.2.7
Nov 26, 2024 08:03:44.297255039 CET	49813	443	192.168.2.7	34.149.100.209
Nov 26, 2024 08:03:44.299422026 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:44.314650059 CET	443	49816	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.314744949 CET	49816	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.317496061 CET	49816	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.317523003 CET	443	49816	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.317908049 CET	443	49816	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.320557117 CET	49816	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.320624113 CET	49816	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.320764065 CET	443	49816	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.324660063 CET	49816	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.407104015 CET	443	49814	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.407203913 CET	443	49815	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.407210112 CET	49814	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.407522917 CET	49815	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.410079002 CET	49814	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.410089016 CET	443	49814	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.410340071 CET	443	49814	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.412575960 CET	49815	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.412581921 CET	443	49815	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.412820101 CET	443	49815	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.416069031 CET	49814	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.416155100 CET	49814	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.416224003 CET	443	49814	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.416328907 CET	49815	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.416400909 CET	49815	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.416466951 CET	443	49815	35.244.181.201	192.168.2.7
Nov 26, 2024 08:03:44.416513920 CET	49814	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.416829109 CET	49815	443	192.168.2.7	35.244.181.201
Nov 26, 2024 08:03:44.419353008 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:44.623939037 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:44.626905918 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:44.674688101 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:44.746954918 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:44.950834036 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:44.991183043 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:54.634471893 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:54.754702091 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:03:54.951030016 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:03:55.072134972 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:00.325228930 CET	49855	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:00.325287104 CET	443	49855	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:00.325553894 CET	49855	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:00.327008963 CET	49855	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:00.327023983 CET	443	49855	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:01.593256950 CET	443	49855	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:01.593350887 CET	49855	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:01.598320007 CET	49855	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:01.598329067 CET	443	49855	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:01.598422050 CET	49855	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:01.598465919 CET	443	49855	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:01.598623991 CET	49855	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:01.600899935 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:01.720846891 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:01.924973965 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:01.927906036 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:01.970419884 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:02.048475027 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:02.251744032 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:02.302663088 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:11.630582094 CET	49881	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.630630970 CET	443	49881	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.630742073 CET	49882	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.630774975 CET	443	49882	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.630857944 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.630866051 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.630986929 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631035089 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.631115913 CET	49885	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631150961 CET	443	49885	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.631228924 CET	49886	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631238937 CET	443	49886	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.631423950 CET	49881	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631439924 CET	49882	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631449938 CET	49885	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631450891 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631455898 CET	49886	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631455898 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631584883 CET	49881	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631599903 CET	443	49881	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.631726980 CET	49886	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631742001 CET	443	49886	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.631793022 CET	49885	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631812096 CET	443	49885	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.631855011 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631863117 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.631931067 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.631941080 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.631994963 CET	49882	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:11.632008076 CET	443	49882	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:11.930294991 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:12.050412893 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:12.253323078 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:12.373452902 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:12.844738960 CET	443	49886	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.844814062 CET	49886	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.845163107 CET	443	49882	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.845293045 CET	49882	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.848099947 CET	49886	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.848104954 CET	443	49886	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.848349094 CET	443	49886	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.850475073 CET	49882	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.850509882 CET	443	49882	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.850807905 CET	443	49882	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.853192091 CET	49886	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.853300095 CET	49886	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.853378057 CET	443	49886	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.853396893 CET	49882	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.853508949 CET	49882	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.853713036 CET	443	49882	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.853909016 CET	49891	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.853952885 CET	443	49891	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.854053974 CET	49892	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.854089022 CET	443	49892	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.854142904 CET	49886	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.854182959 CET	49891	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.854202986 CET	49882	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.854357004 CET	49891	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.854357958 CET	49892	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.854371071 CET	443	49891	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.854429960 CET	49892	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.854444981 CET	443	49892	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.859167099 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:12.891457081 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.891539097 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.891558886 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.891881943 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.894051075 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.894090891 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.894316912 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.896213055 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.896224022 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.896562099 CET	443	49881	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.896603107 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.897006035 CET	49881	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.899059057 CET	49881	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.899063110 CET	443	49881	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.899322987 CET	443	49881	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.901396036 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.901515007 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.901591063 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.901607990 CET	443	49883	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.901716948 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.901808023 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.901814938 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.901863098 CET	49883	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.903258085 CET	49881	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.903383970 CET	49881	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.903395891 CET	443	49881	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.903669119 CET	49881	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.939454079 CET	443	49885	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.939568996 CET	49885	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.941899061 CET	49885	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.941910028 CET	443	49885	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.942106009 CET	443	49885	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.943949938 CET	49885	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.944042921 CET	49885	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.944065094 CET	443	49885	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:12.944190979 CET	49885	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.944204092 CET	49885	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:12.979224920 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:13.107342005 CET	443	49884	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:13.107414007 CET	49884	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:13.183290958 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:13.190582991 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:13.233978987 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:13.310528040 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:13.514163971 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:13.556977034 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:14.121274948 CET	443	49891	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:14.121378899 CET	49891	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:14.125852108 CET	49891	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:14.125859976 CET	443	49891	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:14.126816034 CET	443	49891	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:14.128910065 CET	49891	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:14.129029989 CET	49891	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:14.132041931 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:14.156542063 CET	443	49892	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:14.156637907 CET	49892	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:14.161026955 CET	49892	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:14.161039114 CET	443	49892	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:14.161254883 CET	443	49892	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:14.163937092 CET	49892	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:14.164062977 CET	49892	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:14.164099932 CET	443	49892	34.120.208.123	192.168.2.7
Nov 26, 2024 08:04:14.164676905 CET	49892	443	192.168.2.7	34.120.208.123
Nov 26, 2024 08:04:14.252027035 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:14.456470013 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:14.459882975 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:14.506484032 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:14.579895020 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:14.783781052 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:14.838591099 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:24.458764076 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:24.578841925 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:24.790918112 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:24.910887003 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:34.587642908 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:34.707705975 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:34.919740915 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:35.040360928 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:41.873720884 CET	49957	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:41.873776913 CET	443	49957	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:41.874030113 CET	49957	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:41.875499964 CET	49957	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:41.875514984 CET	443	49957	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:43.085350037 CET	443	49957	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:43.085510015 CET	49957	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:43.090105057 CET	49957	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:43.090122938 CET	443	49957	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:43.090193987 CET	49957	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:43.090349913 CET	443	49957	34.107.243.93	192.168.2.7
Nov 26, 2024 08:04:43.091439009 CET	49957	443	192.168.2.7	34.107.243.93
Nov 26, 2024 08:04:43.093799114 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:43.213706017 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:43.417932987 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:43.421415091 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:43.458770037 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:43.541395903 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:43.745045900 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:43.797477961 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:53.424912930 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:53.548827887 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:04:53.757177114 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:04:53.877110958 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:05:03.554250002 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:05:03.674230099 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:05:03.886562109 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:05:04.006474972 CET	80	49740	34.107.221.82	192.168.2.7
Nov 26, 2024 08:05:13.675180912 CET	49719	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:05:13.795134068 CET	80	49719	34.107.221.82	192.168.2.7
Nov 26, 2024 08:05:14.013633013 CET	49740	80	192.168.2.7	34.107.221.82
Nov 26, 2024 08:05:14.133500099 CET	80	49740	34.107.221.82	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2024 08:03:13.586132050 CET	59680	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:13.590118885 CET	50740	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:13.724613905 CET	51711	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:13.725377083 CET	53	59680	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:13.726445913 CET	57539	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:13.732317924 CET	49614	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:13.863565922 CET	53	51711	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:13.865560055 CET	53	57539	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:13.871458054 CET	53	49614	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:13.889484882 CET	61340	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:13.889584064 CET	60933	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:13.899014950 CET	53498	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:13.915381908 CET	57458	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:13.973611116 CET	63144	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.028578043 CET	53	61340	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.030107975 CET	53	60933	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.038141012 CET	53	53498	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.062155962 CET	53	57458	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.112524033 CET	53	63144	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.470993042 CET	54194	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.471263885 CET	57439	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.471821070 CET	57330	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.476351976 CET	54951	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.484848022 CET	57729	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.610304117 CET	53	57439	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.610822916 CET	53	57330	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.612320900 CET	53	54194	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.615555048 CET	52723	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.616035938 CET	64797	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.616539955 CET	52893	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.626774073 CET	53	57729	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.755997896 CET	53	52723	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.756019115 CET	53	52893	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.757184982 CET	53	64797	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.758878946 CET	54181	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:14.901082993 CET	53	54181	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:14.903585911 CET	52185	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:15.046166897 CET	53	52185	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:15.088809013 CET	64522	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:15.089342117 CET	52843	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:15.110299110 CET	62528	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:15.118129015 CET	53	58438	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:15.232366085 CET	53	52843	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:15.232379913 CET	53	64522	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:15.416248083 CET	52048	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:15.557600975 CET	53	52048	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:15.561815977 CET	54317	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:15.701286077 CET	53	54317	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:15.722873926 CET	58696	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:15.862019062 CET	53	58696	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:15.888968945 CET	63021	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:16.031444073 CET	53	63021	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:16.032491922 CET	51707	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:16.171525002 CET	53	51707	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:16.173552990 CET	57940	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:16.313517094 CET	53	57940	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:16.386833906 CET	53836	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:16.533957958 CET	53	53836	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:16.569771051 CET	56046	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:16.712429047 CET	53	56046	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:18.940103054 CET	58573	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:19.079261065 CET	53	58573	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:19.080543995 CET	56499	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:19.224970102 CET	53	56499	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:19.226109028 CET	64931	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:19.485943079 CET	53	64931	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:20.963340044 CET	59224	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:20.963735104 CET	64363	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:20.963963032 CET	54489	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.102730036 CET	53	59224	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.102962017 CET	53	64363	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.103708982 CET	58485	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.103708982 CET	65399	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.189486980 CET	53	54489	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.190326929 CET	54475	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.243711948 CET	53	58485	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.244374990 CET	54555	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.246023893 CET	53	65399	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.246515036 CET	62945	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.331372023 CET	53	54475	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.331985950 CET	60775	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.384438038 CET	53	54555	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.385045052 CET	53605	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.386151075 CET	53	62945	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.386743069 CET	56379	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.471570969 CET	53	60775	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.524488926 CET	53	53605	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.525541067 CET	53	56379	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.532322884 CET	58042	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.532728910 CET	55994	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.672419071 CET	53	55994	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.673724890 CET	49621	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.676446915 CET	53	58042	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.677843094 CET	60689	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:21.817280054 CET	53	49621	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:21.821847916 CET	53	60689	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:25.474975109 CET	62492	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:25.488317966 CET	62950	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:25.617425919 CET	53	62492	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:25.630646944 CET	53	62950	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:30.405312061 CET	51357	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:30.546664000 CET	53	51357	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:38.392009020 CET	64983	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:38.532421112 CET	53	64983	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:38.534216881 CET	52595	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:38.679554939 CET	53	52595	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:39.800204992 CET	54319	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:39.944120884 CET	50560	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:40.127747059 CET	64583	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:40.269069910 CET	55531	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:41.593008041 CET	59748	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:41.620242119 CET	51711	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:41.714133024 CET	62999	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:41.760302067 CET	53	51711	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:41.761603117 CET	53836	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:41.816055059 CET	53	59748	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:41.857573986 CET	53	62999	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:41.858160019 CET	49684	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:41.858427048 CET	59679	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:41.901334047 CET	53	53836	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:41.901913881 CET	58776	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:41.999671936 CET	53	49684	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:42.001590967 CET	53	59679	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:42.002353907 CET	55084	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:42.041394949 CET	53	58776	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:42.141443968 CET	53	55084	1.1.1.1	192.168.2.7
Nov 26, 2024 08:03:42.835252047 CET	54318	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:42.976075888 CET	57482	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:43.163609028 CET	55651	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:03:43.304146051 CET	55716	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:04:00.325364113 CET	57914	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:04:00.467590094 CET	53	57914	1.1.1.1	192.168.2.7
Nov 26, 2024 08:04:11.631391048 CET	54914	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:04:11.772449970 CET	53	54914	1.1.1.1	192.168.2.7
Nov 26, 2024 08:04:41.725730896 CET	64044	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:04:41.872529984 CET	53	64044	1.1.1.1	192.168.2.7
Nov 26, 2024 08:04:41.873955965 CET	61422	53	192.168.2.7	1.1.1.1
Nov 26, 2024 08:04:42.015008926 CET	53	61422	1.1.1.1	192.168.2.7
Nov 26, 2024 08:04:43.094054937 CET	53215	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 26, 2024 08:03:13.586132050 CET	192.168.2.7	1.1.1.1	0x1ce9	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.590118885 CET	192.168.2.7	1.1.1.1	0x90e5	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.724613905 CET	192.168.2.7	1.1.1.1	0x21ab	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.726445913 CET	192.168.2.7	1.1.1.1	0xbc5d	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.732317924 CET	192.168.2.7	1.1.1.1	0xb700	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.889484882 CET	192.168.2.7	1.1.1.1	0x6666	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.889584064 CET	192.168.2.7	1.1.1.1	0x8be6	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 08:03:13.899014950 CET	192.168.2.7	1.1.1.1	0x1a35	Standard query (0)	youtube.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:13.915381908 CET	192.168.2.7	1.1.1.1	0xa146	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 08:03:13.973611116 CET	192.168.2.7	1.1.1.1	0x7bc1	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.470993042 CET	192.168.2.7	1.1.1.1	0xab36	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.471263885 CET	192.168.2.7	1.1.1.1	0xc2e5	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.471821070 CET	192.168.2.7	1.1.1.1	0x3049	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.476351976 CET	192.168.2.7	1.1.1.1	0x74e1	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.484848022 CET	192.168.2.7	1.1.1.1	0xed	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.615555048 CET	192.168.2.7	1.1.1.1	0x90ea	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:14.616035938 CET	192.168.2.7	1.1.1.1	0xaf9b	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 08:03:14.616539955 CET	192.168.2.7	1.1.1.1	0x7439	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 08:03:14.758878946 CET	192.168.2.7	1.1.1.1	0xe467	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.903585911 CET	192.168.2.7	1.1.1.1	0x8b8f	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 08:03:15.088809013 CET	192.168.2.7	1.1.1.1	0xbd48	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.089342117 CET	192.168.2.7	1.1.1.1	0xb639	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.110299110 CET	192.168.2.7	1.1.1.1	0x6e2d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.416248083 CET	192.168.2.7	1.1.1.1	0x8c01	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.561815977 CET	192.168.2.7	1.1.1.1	0x7eb2	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.722873926 CET	192.168.2.7	1.1.1.1	0xd568	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:15.888968945 CET	192.168.2.7	1.1.1.1	0xd402	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:16.032491922 CET	192.168.2.7	1.1.1.1	0x3dae	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:16.173552990 CET	192.168.2.7	1.1.1.1	0x9b7e	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 08:03:16.386833906 CET	192.168.2.7	1.1.1.1	0x85e7	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:16.569771051 CET	192.168.2.7	1.1.1.1	0x9a8b	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:18.940103054 CET	192.168.2.7	1.1.1.1	0x798b	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:19.080543995 CET	192.168.2.7	1.1.1.1	0xb78b	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:19.226109028 CET	192.168.2.7	1.1.1.1	0x52c6	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 08:03:20.963340044 CET	192.168.2.7	1.1.1.1	0xa79c	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:20.963735104 CET	192.168.2.7	1.1.1.1	0x7952	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:20.963963032 CET	192.168.2.7	1.1.1.1	0x7021	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.103708982 CET	192.168.2.7	1.1.1.1	0x9883	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.103708982 CET	192.168.2.7	1.1.1.1	0xa50f	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.190326929 CET	192.168.2.7	1.1.1.1	0xe905	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.244374990 CET	192.168.2.7	1.1.1.1	0x2d60	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:21.246515036 CET	192.168.2.7	1.1.1.1	0x4754	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:21.331985950 CET	192.168.2.7	1.1.1.1	0x56a2	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Nov 26, 2024 08:03:21.385045052 CET	192.168.2.7	1.1.1.1	0xdb0e	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.386743069 CET	192.168.2.7	1.1.1.1	0xe517	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.532322884 CET	192.168.2.7	1.1.1.1	0x3ada	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.532728910 CET	192.168.2.7	1.1.1.1	0xd5f4	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.673724890 CET	192.168.2.7	1.1.1.1	0x276b	Standard query (0)	twitter.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:21.677843094 CET	192.168.2.7	1.1.1.1	0xd68f	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Nov 26, 2024 08:03:25.474975109 CET	192.168.2.7	1.1.1.1	0xfafb	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:25.488317966 CET	192.168.2.7	1.1.1.1	0x37b0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:30.405312061 CET	192.168.2.7	1.1.1.1	0x4fbd	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:38.392009020 CET	192.168.2.7	1.1.1.1	0xc578	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:38.534216881 CET	192.168.2.7	1.1.1.1	0x2e8	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:39.800204992 CET	192.168.2.7	1.1.1.1	0x53d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:39.944120884 CET	192.168.2.7	1.1.1.1	0x69f0	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:40.127747059 CET	192.168.2.7	1.1.1.1	0xe82c	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:40.269069910 CET	192.168.2.7	1.1.1.1	0x1794	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.593008041 CET	192.168.2.7	1.1.1.1	0xfd1b	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.620242119 CET	192.168.2.7	1.1.1.1	0x9a16	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.714133024 CET	192.168.2.7	1.1.1.1	0x82dc	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.761603117 CET	192.168.2.7	1.1.1.1	0x2920	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.858160019 CET	192.168.2.7	1.1.1.1	0x7e4e	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Nov 26, 2024 08:03:41.858427048 CET	192.168.2.7	1.1.1.1	0x7f73	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.901913881 CET	192.168.2.7	1.1.1.1	0x511a	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:03:42.002353907 CET	192.168.2.7	1.1.1.1	0x8a3c	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Nov 26, 2024 08:03:42.835252047 CET	192.168.2.7	1.1.1.1	0xbf7e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:42.976075888 CET	192.168.2.7	1.1.1.1	0x431e	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:43.163609028 CET	192.168.2.7	1.1.1.1	0x50fa	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:43.304146051 CET	192.168.2.7	1.1.1.1	0x46dd	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:04:00.325364113 CET	192.168.2.7	1.1.1.1	0xe451	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:04:11.631391048 CET	192.168.2.7	1.1.1.1	0x179	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:04:41.725730896 CET	192.168.2.7	1.1.1.1	0xa879	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:04:41.873955965 CET	192.168.2.7	1.1.1.1	0x55ee	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Nov 26, 2024 08:04:43.094054937 CET	192.168.2.7	1.1.1.1	0xcd1d	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 26, 2024 08:03:13.722124100 CET	1.1.1.1	192.168.2.7	0x342c	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.725377083 CET	1.1.1.1	192.168.2.7	0x1ce9	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.730777025 CET	1.1.1.1	192.168.2.7	0x90e5	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:13.730777025 CET	1.1.1.1	192.168.2.7	0x90e5	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.863565922 CET	1.1.1.1	192.168.2.7	0x21ab	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.865560055 CET	1.1.1.1	192.168.2.7	0xbc5d	No error (0)	youtube.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.871458054 CET	1.1.1.1	192.168.2.7	0xb700	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:13.985186100 CET	1.1.1.1	192.168.2.7	0xfdba	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:13.985186100 CET	1.1.1.1	192.168.2.7	0xfdba	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.028578043 CET	1.1.1.1	192.168.2.7	0x6666	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.038141012 CET	1.1.1.1	192.168.2.7	0x1a35	No error (0)	youtube.com			28	IN (0x0001)	false
Nov 26, 2024 08:03:14.062155962 CET	1.1.1.1	192.168.2.7	0xa146	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Nov 26, 2024 08:03:14.112524033 CET	1.1.1.1	192.168.2.7	0x7bc1	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:14.112524033 CET	1.1.1.1	192.168.2.7	0x7bc1	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.610304117 CET	1.1.1.1	192.168.2.7	0xc2e5	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.610822916 CET	1.1.1.1	192.168.2.7	0x3049	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.612320900 CET	1.1.1.1	192.168.2.7	0xab36	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.626774073 CET	1.1.1.1	192.168.2.7	0xed	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:14.626774073 CET	1.1.1.1	192.168.2.7	0xed	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:14.626774073 CET	1.1.1.1	192.168.2.7	0xed	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:14.686866999 CET	1.1.1.1	192.168.2.7	0x74e1	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:14.901082993 CET	1.1.1.1	192.168.2.7	0xe467	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.046166897 CET	1.1.1.1	192.168.2.7	0x8b8f	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Nov 26, 2024 08:03:15.232366085 CET	1.1.1.1	192.168.2.7	0xb639	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.232366085 CET	1.1.1.1	192.168.2.7	0xb639	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.232379913 CET	1.1.1.1	192.168.2.7	0xbd48	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.255009890 CET	1.1.1.1	192.168.2.7	0x6e2d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:15.255009890 CET	1.1.1.1	192.168.2.7	0x6e2d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.557600975 CET	1.1.1.1	192.168.2.7	0x8c01	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.701286077 CET	1.1.1.1	192.168.2.7	0x7eb2	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:15.771620989 CET	1.1.1.1	192.168.2.7	0xd771	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:15.771620989 CET	1.1.1.1	192.168.2.7	0xd771	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:16.031444073 CET	1.1.1.1	192.168.2.7	0xd402	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:16.031444073 CET	1.1.1.1	192.168.2.7	0xd402	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:16.171525002 CET	1.1.1.1	192.168.2.7	0x3dae	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:16.377696991 CET	1.1.1.1	192.168.2.7	0x6ec6	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:16.533957958 CET	1.1.1.1	192.168.2.7	0x85e7	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:19.079261065 CET	1.1.1.1	192.168.2.7	0x798b	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:19.079261065 CET	1.1.1.1	192.168.2.7	0x798b	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:19.079261065 CET	1.1.1.1	192.168.2.7	0x798b	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:19.098951101 CET	1.1.1.1	192.168.2.7	0xe4c5	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:19.224970102 CET	1.1.1.1	192.168.2.7	0xb78b	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102730036 CET	1.1.1.1	192.168.2.7	0xa79c	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102962017 CET	1.1.1.1	192.168.2.7	0x7952	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:21.102962017 CET	1.1.1.1	192.168.2.7	0x7952	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.189486980 CET	1.1.1.1	192.168.2.7	0x7021	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:21.189486980 CET	1.1.1.1	192.168.2.7	0x7021	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.243711948 CET	1.1.1.1	192.168.2.7	0x9883	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		142.250.181.46	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.246023893 CET	1.1.1.1	192.168.2.7	0xa50f	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.331372023 CET	1.1.1.1	192.168.2.7	0xe905	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.384438038 CET	1.1.1.1	192.168.2.7	0x2d60	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Nov 26, 2024 08:03:21.386151075 CET	1.1.1.1	192.168.2.7	0x4754	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 26, 2024 08:03:21.386151075 CET	1.1.1.1	192.168.2.7	0x4754	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 26, 2024 08:03:21.386151075 CET	1.1.1.1	192.168.2.7	0x4754	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 26, 2024 08:03:21.386151075 CET	1.1.1.1	192.168.2.7	0x4754	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Nov 26, 2024 08:03:21.471570969 CET	1.1.1.1	192.168.2.7	0x56a2	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Nov 26, 2024 08:03:21.524488926 CET	1.1.1.1	192.168.2.7	0xdb0e	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:21.524488926 CET	1.1.1.1	192.168.2.7	0xdb0e	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.524488926 CET	1.1.1.1	192.168.2.7	0xdb0e	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.524488926 CET	1.1.1.1	192.168.2.7	0xdb0e	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.524488926 CET	1.1.1.1	192.168.2.7	0xdb0e	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.525541067 CET	1.1.1.1	192.168.2.7	0xe517	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.672419071 CET	1.1.1.1	192.168.2.7	0xd5f4	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.672419071 CET	1.1.1.1	192.168.2.7	0xd5f4	No error (0)	twitter.com		104.244.42.129	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.672419071 CET	1.1.1.1	192.168.2.7	0xd5f4	No error (0)	twitter.com		104.244.42.1	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.672419071 CET	1.1.1.1	192.168.2.7	0xd5f4	No error (0)	twitter.com		104.244.42.193	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.676446915 CET	1.1.1.1	192.168.2.7	0x3ada	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.676446915 CET	1.1.1.1	192.168.2.7	0x3ada	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.676446915 CET	1.1.1.1	192.168.2.7	0x3ada	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:21.676446915 CET	1.1.1.1	192.168.2.7	0x3ada	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:38.532421112 CET	1.1.1.1	192.168.2.7	0xc578	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:39.943213940 CET	1.1.1.1	192.168.2.7	0x53d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:39.943213940 CET	1.1.1.1	192.168.2.7	0x53d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:40.091711998 CET	1.1.1.1	192.168.2.7	0x69f0	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:40.091711998 CET	1.1.1.1	192.168.2.7	0x69f0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:40.267136097 CET	1.1.1.1	192.168.2.7	0xe82c	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:40.267136097 CET	1.1.1.1	192.168.2.7	0xe82c	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:40.409257889 CET	1.1.1.1	192.168.2.7	0x1794	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:40.409257889 CET	1.1.1.1	192.168.2.7	0x1794	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.712383032 CET	1.1.1.1	192.168.2.7	0xe5d0	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:41.712383032 CET	1.1.1.1	192.168.2.7	0xe5d0	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.760302067 CET	1.1.1.1	192.168.2.7	0x9a16	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:41.760302067 CET	1.1.1.1	192.168.2.7	0x9a16	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.816055059 CET	1.1.1.1	192.168.2.7	0xfd1b	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.816055059 CET	1.1.1.1	192.168.2.7	0xfd1b	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.816055059 CET	1.1.1.1	192.168.2.7	0xfd1b	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.816055059 CET	1.1.1.1	192.168.2.7	0xfd1b	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.857573986 CET	1.1.1.1	192.168.2.7	0x82dc	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:41.901334047 CET	1.1.1.1	192.168.2.7	0x2920	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:42.001590967 CET	1.1.1.1	192.168.2.7	0x7f73	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:42.001590967 CET	1.1.1.1	192.168.2.7	0x7f73	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:42.001590967 CET	1.1.1.1	192.168.2.7	0x7f73	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:42.001590967 CET	1.1.1.1	192.168.2.7	0x7f73	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:42.141443968 CET	1.1.1.1	192.168.2.7	0x8a3c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 26, 2024 08:03:42.141443968 CET	1.1.1.1	192.168.2.7	0x8a3c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 26, 2024 08:03:42.141443968 CET	1.1.1.1	192.168.2.7	0x8a3c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 26, 2024 08:03:42.141443968 CET	1.1.1.1	192.168.2.7	0x8a3c	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Nov 26, 2024 08:03:42.975070953 CET	1.1.1.1	192.168.2.7	0xbf7e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:42.975070953 CET	1.1.1.1	192.168.2.7	0xbf7e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:43.118810892 CET	1.1.1.1	192.168.2.7	0x431e	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:43.118810892 CET	1.1.1.1	192.168.2.7	0x431e	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:43.302983999 CET	1.1.1.1	192.168.2.7	0x50fa	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:43.302983999 CET	1.1.1.1	192.168.2.7	0x50fa	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:43.707200050 CET	1.1.1.1	192.168.2.7	0x46dd	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:43.707200050 CET	1.1.1.1	192.168.2.7	0x46dd	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:03:45.090765953 CET	1.1.1.1	192.168.2.7	0xa4b8	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:03:45.090765953 CET	1.1.1.1	192.168.2.7	0xa4b8	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:04:11.628844023 CET	1.1.1.1	192.168.2.7	0x7392	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:04:41.872529984 CET	1.1.1.1	192.168.2.7	0xa879	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Nov 26, 2024 08:04:43.242671013 CET	1.1.1.1	192.168.2.7	0xcd1d	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 26, 2024 08:04:43.242671013 CET	1.1.1.1	192.168.2.7	0xcd1d	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49712	34.107.221.82	80	7488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 08:03:13.884391069 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:14.953217030 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 08:50:48 GMT Age: 79946 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49718	34.107.221.82	80	7488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 08:03:15.388159990 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:16.566932917 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65308 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:16.927273989 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:17.261254072 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65309 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:18.955640078 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:19.289817095 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65311 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49719	34.107.221.82	80	7488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 08:03:15.388298035 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:16.519843102 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29179 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:16.948466063 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:17.272505045 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29180 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:18.957685947 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:19.283150911 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29182 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:25.457309008 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:25.781128883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29188 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:28.382405043 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:28.706291914 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29191 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:30.400912046 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:30.725106001 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29193 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:31.903326035 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:32.227256060 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29195 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:33.208465099 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:33.534476042 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29196 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:39.800312996 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:40.124917984 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29202 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:42.834973097 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:43.160872936 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29205 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:44.299422026 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:03:44.623939037 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29207 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:03:54.634471893 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:04:01.600899935 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:04:01.924973965 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29224 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:04:11.930294991 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:04:12.859167099 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:04:13.183290958 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29236 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:04:14.132041931 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:04:14.456470013 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29237 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:04:24.458764076 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:04:34.587642908 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:04:43.093799114 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Nov 26, 2024 08:04:43.417932987 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Mon, 25 Nov 2024 22:56:57 GMT Age: 29266 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Nov 26, 2024 08:04:53.424912930 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:05:03.554250002 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:05:13.675180912 CET	6	OUT	Data Raw: 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49740	34.107.221.82	80	7488	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Nov 26, 2024 08:03:19.634804010 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:20.765780926 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65312 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:27.399451017 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:27.723038912 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65319 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:29.403645992 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:29.727615118 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65321 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:30.738792896 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:31.062482119 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65322 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:32.230372906 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:32.630093098 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65324 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:33.537708044 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:33.909723997 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65325 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:40.127991915 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:40.451941013 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65332 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:43.163461924 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:43.487116098 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65335 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:44.626905918 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:03:44.950834036 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65336 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:03:54.951030016 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:04:01.927906036 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:04:02.251744032 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65354 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:04:12.253323078 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:04:13.190582991 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:04:13.514163971 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65365 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:04:14.459882975 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:04:14.783781052 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65366 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:04:24.790918112 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:04:34.919740915 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:04:43.421415091 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Nov 26, 2024 08:04:43.745045900 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Mon, 25 Nov 2024 12:54:48 GMT Age: 65395 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Nov 26, 2024 08:04:53.757177114 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:05:03.886562109 CET	6	OUT	Data Raw: 00 Data Ascii:
Nov 26, 2024 08:05:14.013633013 CET	6	OUT	Data Raw: 00 Data Ascii:

Target ID:	0
Start time:	02:03:06
Start date:	26/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x440000
File size:	922'624 bytes
MD5 hash:	0F6832047E7BCED4A803541E7C53FD0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:03:06
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0xa00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:03:06
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:03:08
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0xa00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:03:08
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:03:09
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0xa00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:03:09
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:03:09
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0xa00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:03:09
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	02:03:09
Start date:	26/11/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0xa00000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:03:09
Start date:	26/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:03:09
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	02:03:09
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	02:03:09
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	02:03:10
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2212 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65155996-2b93-46e9-ae4e-1c1110218147} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 192f6c70710 socket
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	02:03:12
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3696 -parentBuildID 20230927232528 -prefsHandle 3760 -prefMapHandle 1472 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ddfb0ec-930d-44cc-b925-82879c9ace8a} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 19289111510 rdd
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	02:03:15
Start date:	26/11/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4972 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4968 -prefMapHandle 4952 -prefsLen 33185 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {90187dd2-4e8f-474f-9614-3c8c610e39d8} 7488 "\\.\pipe\gecko-crash-server-pipe.7488" 19288829510 utility
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	1500
Total number of Limit Nodes:	54

Executed Functions

Function 004442DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0044430D

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

GetCurrentProcess.KERNEL32(?,004DCB64,00000000,?,?), ref: 00444422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00444429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00444454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00444466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00444474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0044447B
GetSystemInfo.KERNEL32(?,?,?), ref: 004444A0

Strings

kernel32.dll, xrefs: 0044444F
|O, xrefs: 004836F8
GetNativeSystemInfo, xrefs: 00444460

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 4ef7942196d7337a5939c998f8fed81f8d91892789e47b1bf5b647dc335596ab
Instruction ID: 5d12485ffadc2bbbddb2dbccfe402c205ffdfcbb40f98335773eb5014b5bbb06
Opcode Fuzzy Hash: 4ef7942196d7337a5939c998f8fed81f8d91892789e47b1bf5b647dc335596ab
Instruction Fuzzy Hash: 76A1176590AAD0CFDB11DB687C843D97FA46B72741B18CCDBD26093729D228450DEB2E

Function 004442A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,004450AA,?,?,00000000,00000000), ref: 004442B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,004450AA,?,?,00000000,00000000), ref: 004442C9
LoadResource.KERNEL32(?,00000000,?,?,004450AA,?,?,00000000,00000000,?,?,?,?,?,?,00444F20), ref: 004835BE
SizeofResource.KERNEL32(?,00000000,?,?,004450AA,?,?,00000000,00000000,?,?,?,?,?,?,00444F20), ref: 004835D3
LockResource.KERNEL32(004450AA,?,?,004450AA,?,?,00000000,00000000,?,?,?,?,?,?,00444F20,?), ref: 004835E6

Strings

SCRIPT, xrefs: 004442BF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 7d917ffa8e76a866c36b33ae6c9143210a2908c62eae9224c22ca7ba7dc73ad9
Instruction ID: 93847e93ddc6f856a7afd4b3e2fd9f4d346232565c8d811aced674530c585a88
Opcode Fuzzy Hash: 7d917ffa8e76a866c36b33ae6c9143210a2908c62eae9224c22ca7ba7dc73ad9
Instruction Fuzzy Hash: C4117CB0601701BFEB218BA5DC88F277BB9EBC5B91F2045AEF40296290DBB1D800C665

Function 00482BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00442B6B

Part of subcall function 00443A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00511418,?,00442E7F,?,?,?,00000000), ref: 00443A78

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00502224), ref: 00482C10
ShellExecuteW.SHELL32(00000000,?,?,00502224), ref: 00482C17

Strings

runas, xrefs: 00482C0B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: b8224c5565467e18f2a0fe8b57ad6a5595dd17793ad4d5ed0e1db55367d3283e
Instruction ID: ba0f5df53f78948406967863b67ed676f51a78ffcf95cc7d178816576d78ac10
Opcode Fuzzy Hash: b8224c5565467e18f2a0fe8b57ad6a5595dd17793ad4d5ed0e1db55367d3283e
Instruction Fuzzy Hash: 7A113A311083416AF704FF21D8859BFBBA4AF90B49F44042FF542020A2CFB89949D71E

Function 004AD4DC Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004AD501
Process32FirstW.KERNEL32(00000000,?), ref: 004AD50F
Process32NextW.KERNEL32(00000000,?), ref: 004AD52F
CloseHandle.KERNELBASE(00000000), ref: 004AD5DC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ff840efcbeb0dc118537223f3c1671bf89fa990e74cd3f7cf2b32a6d68bb35b9
Instruction ID: c5d8c0786fe27042e6e1e3104109ed61e8f91e8bcce322bf982566cdb594eb60
Opcode Fuzzy Hash: ff840efcbeb0dc118537223f3c1671bf89fa990e74cd3f7cf2b32a6d68bb35b9
Instruction Fuzzy Hash: 6C31C471508301AFD300EF54C881AAFBBF8EF99348F14092EF582861A2EB759944CB97

Function 004ADBBE Relevance: 6.0, APIs: 4, Instructions: 29
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00485222), ref: 004ADBCE
GetFileAttributesW.KERNELBASE(?), ref: 004ADBDD
FindFirstFileW.KERNEL32(?,?), ref: 004ADBEE
FindClose.KERNEL32(00000000), ref: 004ADBFA

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 4194f9766e15aba1ccb2284da3ad15dc4c3a87d076ad1aa54b765c46f9626e26
Instruction ID: ab069b7c5fb0ae612a213032e04c17cc5d37f6e8b8301f22da4724f41e5ef17a
Opcode Fuzzy Hash: 4194f9766e15aba1ccb2284da3ad15dc4c3a87d076ad1aa54b765c46f9626e26
Instruction Fuzzy Hash: 72F0A030C119215792206B78AC4D8AB376C9E02334B944763F876C25E0EBB85D55C69E

Function 00464CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(004728E9,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002,00000000,?,004728E9), ref: 00464D09
TerminateProcess.KERNEL32(00000000,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002,00000000,?,004728E9), ref: 00464D10
ExitProcess.KERNEL32 ref: 00464D22

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f8261537ad3431f6e4c1b0e6918fef14662c7ba5aa06ea1e40c46ca0e7c3aa76
Instruction ID: a5b42991390f8a271986e92c55c8af9d320883932a3247fd4caf56aa5c67da61
Opcode Fuzzy Hash: f8261537ad3431f6e4c1b0e6918fef14662c7ba5aa06ea1e40c46ca0e7c3aa76
Instruction Fuzzy Hash: C9E0B631401149ABCF21AF55DD49A593B69EB82785F10842AFC098B222DB39DD42DA89

Function 0044BF40 Relevance: 2.4, Strings: 1, Instructions: 1178COMMON

Download Yara Rule

Strings

p#Q, xrefs: 004907CE

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BuffCharUpper
String ID: p#Q
API String ID: 3964851224-158705473
Opcode ID: 656cc09812c5d26d69496cb1e2859c932f20d1b8ffa18041ce257e3c55df7b11
Instruction ID: fe5a39c86181f9cf79d1ae2702ea72aeee18ef6cedea6009e2a1c64598f83df7
Opcode Fuzzy Hash: 656cc09812c5d26d69496cb1e2859c932f20d1b8ffa18041ce257e3c55df7b11
Instruction Fuzzy Hash: F9A26E706083019FDB50DF15C480B2BBBE1BF99304F18896EE9998B352D779EC45CB9A

Function 004CAFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 004CB198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004CB1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004CB1D4
_wcslen.LIBCMT ref: 004CB200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004CB214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004CB236
_wcslen.LIBCMT ref: 004CB332

Part of subcall function 004B05A7: GetStdHandle.KERNEL32(000000F6), ref: 004B05C6

_wcslen.LIBCMT ref: 004CB34B
_wcslen.LIBCMT ref: 004CB366
CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004CB3B6
GetLastError.KERNEL32(00000000), ref: 004CB407
CloseHandle.KERNEL32(?), ref: 004CB439
CloseHandle.KERNEL32(00000000), ref: 004CB44A
CloseHandle.KERNEL32(00000000), ref: 004CB45C
CloseHandle.KERNEL32(00000000), ref: 004CB46E
CloseHandle.KERNEL32(?), ref: 004CB4E3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: a19683b4a105a37bdf663504632fd18cac2d0aca420d319a713a064909bd8480
Instruction ID: a71c4b20f001fb8cc1a96b29c4d0441904f2a1757faa604840f5b10b314359c5
Opcode Fuzzy Hash: a19683b4a105a37bdf663504632fd18cac2d0aca420d319a713a064909bd8480
Instruction Fuzzy Hash: 4CF19C356082409FD754EF25C882B2BBBE5EF85318F14855EF8854B2A2CB39DC05CB9A

Function 0044D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0044D807
timeGetTime.WINMM ref: 0044DA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DB28
TranslateMessage.USER32(?), ref: 0044DB7B
DispatchMessageW.USER32(?), ref: 0044DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DB9F
Sleep.KERNELBASE(0000000A), ref: 0044DBB1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: b214affebbc3342d457b7aa67992a710bb56d41f676af029d173a3410f752df9
Instruction ID: 6460be988781d31e70a8c26148c01bcd580e65ccf735d09a405225ea97a92ac0
Opcode Fuzzy Hash: b214affebbc3342d457b7aa67992a710bb56d41f676af029d173a3410f752df9
Instruction Fuzzy Hash: 3B42D470A04642EFEB24CF25C884BAABBE1FF45304F14856FE45587391D778E849CB8A

Function 00442CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00442D07
RegisterClassExW.USER32(00000030), ref: 00442D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00442D42
InitCommonControlsEx.COMCTL32(?), ref: 00442D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00442D6F
LoadIconW.USER32(000000A9), ref: 00442D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00442D94

Strings

TaskbarCreated, xrefs: 00442D37
0, xrefs: 00442CE9
+, xrefs: 00442CF0
AutoIt v3 GUI, xrefs: 00442D23

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cbe30313d8f4974dd3f2640c3549f5bd5da602ce5e1f22c09f51cdca33ac5707
Instruction ID: 3688adc7738a65c30cb61ed8d04c8e52c5ce0fde6eb1b0a8c4716bd4db3bc1cb
Opcode Fuzzy Hash: cbe30313d8f4974dd3f2640c3549f5bd5da602ce5e1f22c09f51cdca33ac5707
Instruction Fuzzy Hash: F421C8B590221AAFDB00DFA4E889BDDBBB4FB08701F10816BF621A6290D7B54544DF99

Function 0048065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0048039A: CreateFileW.KERNELBASE(00000000,00000000,?,00480704,?,?,00000000,?,00480704,00000000,0000000C), ref: 004803B7

GetLastError.KERNEL32 ref: 0048076F
__dosmaperr.LIBCMT ref: 00480776
GetFileType.KERNELBASE(00000000), ref: 00480782
GetLastError.KERNEL32 ref: 0048078C
__dosmaperr.LIBCMT ref: 00480795
CloseHandle.KERNEL32(00000000), ref: 004807B5
CloseHandle.KERNEL32(?), ref: 004808FF
GetLastError.KERNEL32 ref: 00480931
__dosmaperr.LIBCMT ref: 00480938

Strings

H, xrefs: 004808BD

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 4d7002a36a8f9c9eaff585fe0e558cb6234ae5c82fefcc32e3c6fdcf31deca99
Instruction ID: b6584fb4f980b995ec135db1300442721fd88bd319fa200a0e3e384be7f49296
Opcode Fuzzy Hash: 4d7002a36a8f9c9eaff585fe0e558cb6234ae5c82fefcc32e3c6fdcf31deca99
Instruction Fuzzy Hash: 7CA13732A101048FDF19AF68D852BAE7BA0AB06324F14415FF8159B3D1D7399C5BCB99

Function 0044344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00443A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00511418,?,00442E7F,?,?,?,00000000), ref: 00443A78

Part of subcall function 00443357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00443379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0044356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0048318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 004831CE
RegCloseKey.ADVAPI32(?), ref: 00483210
_wcslen.LIBCMT ref: 00483277
_wcslen.LIBCMT ref: 00483286

Strings

\Include\, xrefs: 00443527
Include, xrefs: 00483184, 004831C5
\, xrefs: 0048328C
Software\AutoIt v3\AutoIt, xrefs: 00443560

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: ff3e9d7952dc50b3fba952f1beafc9ac5ab07d51fdf6ac41d2d2362e4a1269e9
Instruction ID: 7981a67b3e4dd62e03b4ba9a4a056cfaec4e7c20a8f67dc323da5edcb5ab6a5b
Opcode Fuzzy Hash: ff3e9d7952dc50b3fba952f1beafc9ac5ab07d51fdf6ac41d2d2362e4a1269e9
Instruction Fuzzy Hash: 6371AD714043019ED704EF2AEC8299BBBE8FF94744F404C2FF45583261EB389A58CB5A

Function 00442B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00442B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00442B9D
LoadIconW.USER32(00000063), ref: 00442BB3
LoadIconW.USER32(000000A4), ref: 00442BC5
LoadIconW.USER32(000000A2), ref: 00442BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00442BEF
RegisterClassExW.USER32(?), ref: 00442C40

Part of subcall function 00442CD4: GetSysColorBrush.USER32(0000000F), ref: 00442D07
Part of subcall function 00442CD4: RegisterClassExW.USER32(00000030), ref: 00442D31
Part of subcall function 00442CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00442D42
Part of subcall function 00442CD4: InitCommonControlsEx.COMCTL32(?), ref: 00442D5F
Part of subcall function 00442CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00442D6F
Part of subcall function 00442CD4: LoadIconW.USER32(000000A9), ref: 00442D85
Part of subcall function 00442CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00442D94

Strings

AutoIt v3, xrefs: 00442C2F
#, xrefs: 00442C16
0, xrefs: 00442C0F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e5d7f7fef5fd9553c70609173965a10001edaaee81e95b612099916d588b9fb0
Instruction ID: 237fa8df1809e38391637b9791aec449ff132ea14e4639a5549f9fdaf604947c
Opcode Fuzzy Hash: e5d7f7fef5fd9553c70609173965a10001edaaee81e95b612099916d588b9fb0
Instruction Fuzzy Hash: 5B217F70E02315ABDB109F95EC94AD97FB4FB18B40F0084ABF610A22A4D3B10544EF8C

Function 00443170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,0044316A,?,?), ref: 004431D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0044316A,?,?), ref: 00443204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00443227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,0044316A,?,?), ref: 00443232
CreatePopupMenu.USER32 ref: 00443246
PostQuitMessage.USER32(00000000), ref: 00443267

Strings

TaskbarCreated, xrefs: 0044322D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 65b5b24d10935c6804b1b3ac78f624f5dfc4ea7fd117cdc3be86d063a120020f
Instruction ID: 88a98ec6f47ea700d45017a46820788515ed862844a84f1f7b454c99a80dbf36
Opcode Fuzzy Hash: 65b5b24d10935c6804b1b3ac78f624f5dfc4ea7fd117cdc3be86d063a120020f
Instruction Fuzzy Hash: 7D415930200205A7FF142F789D49BBE3A55F711B06F04416BFA12853A5CBEC9E41D76E

Function 00441410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00441459
CoUninitialize.COMBASE ref: 004414F8
UnregisterHotKey.USER32(?), ref: 004416DD
DestroyWindow.USER32(?), ref: 004824B9
FreeLibrary.KERNEL32(?), ref: 0048251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0048254B

Strings

close all, xrefs: 00441454

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: dc587a83ead5f6029712d77e158df7193154cc851a3db10a66efc6abe6398658
Instruction ID: c8d898f5a9d5b771e562e646e678dfc106df17fb9795d8bd62a0d24e1d170d83
Opcode Fuzzy Hash: dc587a83ead5f6029712d77e158df7193154cc851a3db10a66efc6abe6398658
Instruction Fuzzy Hash: CED1CC307012129FDB19EF15C599A2AF7A0BF05704F1446AFE80A6B362DB38EC56CF59

Function 00442C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00442C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00442CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00441CAD,?), ref: 00442CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00441CAD,?), ref: 00442CCF

Strings

AutoIt v3, xrefs: 00442C89, 00442C8E, 00442C8F
edit, xrefs: 00442CAC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: d32a85d86ea65a7c6f344e4a920457c59d5d0581aaf6d97724501567e39d8169
Instruction ID: e0e4be680c0f3d73271899106ebe627805ae4d432946068f4c247df8486a4ba5
Opcode Fuzzy Hash: d32a85d86ea65a7c6f344e4a920457c59d5d0581aaf6d97724501567e39d8169
Instruction Fuzzy Hash: 74F05E755402917AEB300713AC58EB77FBDD7D6F50F0085AFFA10A32A4C6750844EAB8

Function 00443B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00443B0F,SwapMouseButtons,00000004,?), ref: 00443B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00443B0F,SwapMouseButtons,00000004,?), ref: 00443B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00443B0F,SwapMouseButtons,00000004,?), ref: 00443B83

Strings

Control Panel\Mouse, xrefs: 00443B3E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 49a19f1299adb8b6fa28f023fba4b5c2d6e253fbdf3302028acfac40fb6d5313
Instruction ID: 678ba80e24ca60733b9712cf00d8095b733fc32482e1b25b46adf43a17b556bd
Opcode Fuzzy Hash: 49a19f1299adb8b6fa28f023fba4b5c2d6e253fbdf3302028acfac40fb6d5313
Instruction Fuzzy Hash: BB115AB1511208FFEB218FA4DC84AAFB7B8EF00B45B10846AA801D7211D231AE409768

Function 00443923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 004833A2

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00443A04

Strings

Line: , xrefs: 004833EB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 2633230c90580a693d6ceae46ecb618f10c38eb50f95d4e142d6004ee3ca02bf
Instruction ID: b95435872d310a28332a661fcebcd7064a787f6eb1dee93a5503e43b1dc3f063
Opcode Fuzzy Hash: 2633230c90580a693d6ceae46ecb618f10c38eb50f95d4e142d6004ee3ca02bf
Instruction Fuzzy Hash: FA31E471408300AAE721EF20DC45BDFB7D8AF40B19F10496FF59992191EB789A49C7CB

Function 00442DE3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00482C8C

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

Part of subcall function 00442DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00442DC4

Strings

`eP, xrefs: 00482C85
X, xrefs: 00482C5A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`eP
API String ID: 779396738-3660009032
Opcode ID: a2215ff22072f86fb6b07b0e56e862c1e3872afb3ea1fb75ea60a743bd482838
Instruction ID: a59732b2ccb16d04998dcc926d5f05f74336f62bd392b5f9699f22d6849eae3c
Opcode Fuzzy Hash: a2215ff22072f86fb6b07b0e56e862c1e3872afb3ea1fb75ea60a743bd482838
Instruction Fuzzy Hash: DD21A470A002589ADB01AF95C8457EE7BF8AF48308F00405AE505A7281DBF85649CB69

Function 0045FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00460668

Part of subcall function 004632A4: RaiseException.KERNEL32(?,?,?,0046068A,?,00511444,?,?,?,?,?,?,0046068A,00441129,00508738,00441129), ref: 00463304

__CxxThrowException@8.LIBVCRUNTIME ref: 00460685

Strings

Unknown exception, xrefs: 00460692

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: d79350511744dcf0ec1d8af1fcd7c5f1b34531754a836dd64b432e8bf0c56611
Instruction ID: 9cb27959b7f77c09cd8d132bb688fbda648552e3a84517e7ee9e3535ec688763
Opcode Fuzzy Hash: d79350511744dcf0ec1d8af1fcd7c5f1b34531754a836dd64b432e8bf0c56611
Instruction Fuzzy Hash: A4F0FF2490020D73CB00BAA6D846C9F7B6C6E00308B60403BB915866D2FF39DA2E858B

Function 004410F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00441BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00441BF4
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00441BFC
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00441C07
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00441C12
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00441C1A
Part of subcall function 00441BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00441C22

Part of subcall function 00441B4A: RegisterWindowMessageW.USER32(00000004,?,004412C4), ref: 00441BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0044136A
OleInitialize.OLE32 ref: 00441388
CloseHandle.KERNEL32(00000000,00000000), ref: 004824AB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 754d603915766dd8d84f66169f3de82500345a24a135c3ded65e049bf177ae37
Instruction ID: 22e58ddbca1de210421c7eccae6c58f18a5c25a069507955b39722413b5965e7
Opcode Fuzzy Hash: 754d603915766dd8d84f66169f3de82500345a24a135c3ded65e049bf177ae37
Instruction Fuzzy Hash: 5F71E1B4911A018ED784EF7AA8956D53AE2FBA8344306C1EFD60AC7371E7744449EF4C

Function 004AC161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00443923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00443A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 004AC259
KillTimer.USER32(?,00000001,?,?), ref: 004AC261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 004AC270

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: 804697fb0e80e462812e29affb712fb1916e12d5f31b5044f0fcef72a0466761
Instruction ID: 67f7fad469b43c80694a5d9e333056d7c87bb2d524338f0e10f029916512b86b
Opcode Fuzzy Hash: 804697fb0e80e462812e29affb712fb1916e12d5f31b5044f0fcef72a0466761
Instruction Fuzzy Hash: 7D31E571900744AFEB628F648885BE7BBEC9B27308F0004DFD2DA97241C3785A85CB5A

Function 004786AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,004785CC,?,00508CC8,0000000C), ref: 00478704
GetLastError.KERNEL32(?,004785CC,?,00508CC8,0000000C), ref: 0047870E
__dosmaperr.LIBCMT ref: 00478739

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 68fafc01d62619cf775a0ce33a2146a4d575abab5333fb1c823a5a03ec58c108
Instruction ID: a176f63e4f6848a08e98e94dbc5e7d9ef1bdaad79741544376c3281a58fb960a
Opcode Fuzzy Hash: 68fafc01d62619cf775a0ce33a2146a4d575abab5333fb1c823a5a03ec58c108
Instruction Fuzzy Hash: 37014832A4522036D6246334684E7EF275A4B91778F29C11FEC0C8F2E2DEEC8C85819C

Function 0044DB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 0044DB7B
DispatchMessageW.USER32(?), ref: 0044DB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0044DB9F
Sleep.KERNELBASE(0000000A), ref: 0044DBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00491CC9

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: e5c3d535d54f63531f5cbbfa56a26653fe05875aca18914c663bfefe22c7a0c8
Instruction ID: cfd0ed14e6f131edfb9f2a6ea8d284e46b5ddb0c21d854380380a4cb6d119c40
Opcode Fuzzy Hash: e5c3d535d54f63531f5cbbfa56a26653fe05875aca18914c663bfefe22c7a0c8
Instruction Fuzzy Hash: EAF054306053429BFB30C7608C89FEB77A8EB44311F10452BE61A831D0DB34A449CB1D

Function 00451310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004517F6

Strings

CALL, xrefs: 004517C6

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 6a5df37a4dfe51697228b8ca939f6b004f57b3b3424c28560dc21b796a276522
Instruction ID: dfc3be6f01bc5547f9f2665d21aa4e351b8fd0173a5582bba5d250e6f87cc3d3
Opcode Fuzzy Hash: 6a5df37a4dfe51697228b8ca939f6b004f57b3b3424c28560dc21b796a276522
Instruction Fuzzy Hash: 21229E70608301AFC714DF15C480B2ABBF1BF85319F15892EF8968B362D779E949CB5A

Function 00443837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00443908

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 8d121da5f316c3cc7c9f15b85cbaf8fda1d19f3870773850659b5ce2f5739047
Instruction ID: 6a5272416407c61594ce4e1b61ee7bf71155e163c2d4ec114ea42c156a1881be
Opcode Fuzzy Hash: 8d121da5f316c3cc7c9f15b85cbaf8fda1d19f3870773850659b5ce2f5739047
Instruction Fuzzy Hash: 6231B4B05047019FE720EF25D885797B7E4FB59709F00096FF69983340E775AA44CB5A

Function 0045F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0045F661

Part of subcall function 0044D730: GetInputState.USER32 ref: 0044D807

Sleep.KERNEL32(00000000), ref: 0049F2DE

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: a2f112a28c72df399222c4c7ce488db0f2161aa16da71d6caa59f08405c2f1d9
Instruction ID: 046b90dd77b3c8a1991ab6647de9b5a97f0014bc5edaa945b6f5fcd89b057e31
Opcode Fuzzy Hash: a2f112a28c72df399222c4c7ce488db0f2161aa16da71d6caa59f08405c2f1d9
Instruction Fuzzy Hash: E8F08231240205AFD310EF65D545B5AB7E4FF45765F00003BE85DC72A1DB70A804CF99

Function 00444ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00444E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E9C
Part of subcall function 00444E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00444EAE
Part of subcall function 00444E90: FreeLibrary.KERNEL32(00000000,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444EFD

Part of subcall function 00444E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E62
Part of subcall function 00444E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00444E74
Part of subcall function 00444E59: FreeLibrary.KERNEL32(00000000,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E87

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: d2759056268196ef8dd648dc5e39be1d682ed96ff9738ac6e7eb2ef9ba956f8d
Instruction ID: 1ac20374369c95a2c179ff2503c517e0b98821f2c5e98f46d5b2f5142ff55c90
Opcode Fuzzy Hash: d2759056268196ef8dd648dc5e39be1d682ed96ff9738ac6e7eb2ef9ba956f8d
Instruction Fuzzy Hash: D011E732600205ABEF14BF62DC02FAD77A5AF80B15F20842FF542A61C1EE78DA099758

Function 00478402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00478440

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f7478605330f636079734377b23e766588ccd56946aea595ec9d647d2b6f3128
Instruction ID: ca23906fe42ddb8fd6e72907e6ec3752bf3922d84abfb95cc8b53a5d9b00cc0f
Opcode Fuzzy Hash: f7478605330f636079734377b23e766588ccd56946aea595ec9d647d2b6f3128
Instruction Fuzzy Hash: 2611487190410AAFCB05DF58E9449DF7BF4EF48314F10805AF808AB312EA70DA11CBA9

Function 00475000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00474C7D: RtlAllocateHeap.NTDLL(00000008,00441129,00000000,?,00472E29,00000001,00000364,?,?,?,0046F2DE,00473863,00511444,?,0045FDF5,?), ref: 00474CBE

_free.LIBCMT ref: 0047506C

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 834591ad323bd6f39fbcbdc501f5e796600f84bc99fd8f73d55215d2fdea21bf
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: B0012BB22047445BE3218F65984199AFBECFB85370F25451EE19897280E6746805C678

Function 0046E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: c89fc231e16683e5bccdf3b5de19f8a38a7c69877adb2de49b58396d05492a16
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 25F0F936A11A1496C6313A77DD05B9733D89F62338F10471FF424922D2EB7C980685AF

Function 00474C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00441129,00000000,?,00472E29,00000001,00000364,?,?,?,0046F2DE,00473863,00511444,?,0045FDF5,?), ref: 00474CBE

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ca1096a605803c321d799005684e5d56e5b9496a2ce39178dc193aead9e1248d
Instruction ID: 04b3ab932b2dacfa5a985f9c022db7ae9a4e4c30c7a1d40b9ce389c2775b82e4
Opcode Fuzzy Hash: ca1096a605803c321d799005684e5d56e5b9496a2ce39178dc193aead9e1248d
Instruction Fuzzy Hash: 08F0BB316021246EDB225F629C05BFB3748AFC1760B1BC517B91D972C4DB39DC05959D

Function 00473820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 58b59ee86e6b7e5d47af003e5644711885c8141caa7bcc430cf04687c6da66ff
Instruction ID: de3d5d51bfb8c8d3e5d751b347f1259388313f6072ab6522c603d86a8c38e356
Opcode Fuzzy Hash: 58b59ee86e6b7e5d47af003e5644711885c8141caa7bcc430cf04687c6da66ff
Instruction Fuzzy Hash: 9BE0A02110122596DB213E679C00BDB37C8AB827B2B068127BC18A26C1DB399D01A5EF

Function 00444F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444F6D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4a51b09c90e80300a39d67c94bcc87ef567e4a1dfd175023572e15410ea7d7ed
Instruction ID: 60956efa9e85b2767f189e24d89fc8693c78886c379a32c813f66f4a295abd23
Opcode Fuzzy Hash: 4a51b09c90e80300a39d67c94bcc87ef567e4a1dfd175023572e15410ea7d7ed
Instruction Fuzzy Hash: D4F03071105752CFEB349F65D490A16B7E4AF54319310897FE1EA82621C7359848DF19

Function 004D2A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004D2A66

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 597d2b9e4aaef9fe849cccaa309722b735a294a93d579703c36ff3dff3d61ba8
Instruction ID: 9ca4c5b0746be3e6257d793f9a3a237f37086a239c0a82ba1d45e034b6a28d91
Opcode Fuzzy Hash: 597d2b9e4aaef9fe849cccaa309722b735a294a93d579703c36ff3dff3d61ba8
Instruction Fuzzy Hash: 8FE04F76350116AAC714EA31DC948FEB35CEBB5399710453BFC16C2310EBB8D99686A8

Function 004430F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 0044314E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 041810799e7b7f5aebfb87e94ef345fc1c4122bb0d0dd61dc7b5c4b0ee283bbf
Instruction ID: 8eedf0b421fe1b2724b01a266ad8ffa95d93d7065a706e475f2ba061da5b2cf0
Opcode Fuzzy Hash: 041810799e7b7f5aebfb87e94ef345fc1c4122bb0d0dd61dc7b5c4b0ee283bbf
Instruction Fuzzy Hash: 21F0A7709003149FE7529F24DC457D67BBCA70170CF0000EAA64896285DB744788CF45

Function 00442DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00442DC4

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e4a915579dc9778be1b1216905954671bf3110e05f748ed4868d3f83ea642fb0
Instruction ID: 84f0dda81e19cd48690b8a30029a7f8b90fcf59e321822fefcf665de6199973f
Opcode Fuzzy Hash: e4a915579dc9778be1b1216905954671bf3110e05f748ed4868d3f83ea642fb0
Instruction Fuzzy Hash: 1FE0CD72A001245BCB10A2599C05FDA77DDDFC8794F0500B7FD09D7258D964AD80C659

Function 00442B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00443837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00443908

Part of subcall function 0044D730: GetInputState.USER32 ref: 0044D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00442B6B

Part of subcall function 004430F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0044314E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 80f0ae5c40132efa3f4b77c3f9c46f5106b3db31974d7d93ddd8a1520dd41889
Instruction ID: 754d3e65709aec7bebf1bba0160d51c9852577c875ab93fc1d2c46f40df4ba7d
Opcode Fuzzy Hash: 80f0ae5c40132efa3f4b77c3f9c46f5106b3db31974d7d93ddd8a1520dd41889
Instruction Fuzzy Hash: 83E0262170024403EA04BF3698524AEB7899BD1B5AF40153FF14243163CEAC4989821D

Function 0048039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00480704,?,?,00000000,?,00480704,00000000,0000000C), ref: 004803B7

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 502f2d8cce2891071c5753cb3bafaed66d414ea3d60f239f120b54e14f1a9a56
Instruction ID: 3b735f5a1c87884d852f9dfe2427ed504f707095d9e9503effc7daeaf1261fe2
Opcode Fuzzy Hash: 502f2d8cce2891071c5753cb3bafaed66d414ea3d60f239f120b54e14f1a9a56
Instruction Fuzzy Hash: 97D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014010BE1856020C732E821EB94

Function 00441CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00441CBC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 56260797d8a6a4bf3053153abd436c5f3ab50f37b416353d22972aa936901174
Instruction ID: cb07b859eaa7480e199b012bf077c1defa4faea4d6a3cf5c27192feed63508c7
Opcode Fuzzy Hash: 56260797d8a6a4bf3053153abd436c5f3ab50f37b416353d22972aa936901174
Instruction Fuzzy Hash: B9C09236280305AFF6148B80BC9AF907B65E368B01F04C502F709A95E3C3A22824FA58

Non-executed Functions

Function 004D9576 Relevance: 74.1, APIs: 39, Strings: 3, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 004D961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004D965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 004D969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004D96C9
SendMessageW.USER32 ref: 004D96F2
GetKeyState.USER32(00000011), ref: 004D978B
GetKeyState.USER32(00000009), ref: 004D9798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 004D97AE
GetKeyState.USER32(00000010), ref: 004D97B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004D97E9
SendMessageW.USER32 ref: 004D9810
SendMessageW.USER32(?,00001030,?,004D7E95), ref: 004D9918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 004D992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 004D9941
SetCapture.USER32(?), ref: 004D994A
ClientToScreen.USER32(?,?), ref: 004D99AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 004D99BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004D99D6
ReleaseCapture.USER32 ref: 004D99E1
GetCursorPos.USER32(?), ref: 004D9A19
ScreenToClient.USER32(?,?), ref: 004D9A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 004D9A80
SendMessageW.USER32 ref: 004D9AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 004D9AEB
SendMessageW.USER32 ref: 004D9B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 004D9B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 004D9B4A
GetCursorPos.USER32(?), ref: 004D9B68
ScreenToClient.USER32(?,?), ref: 004D9B75
GetParent.USER32(?), ref: 004D9B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 004D9BFA
SendMessageW.USER32 ref: 004D9C2B
ClientToScreen.USER32(?,?), ref: 004D9C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 004D9CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 004D9CDE
SendMessageW.USER32 ref: 004D9D01
ClientToScreen.USER32(?,?), ref: 004D9D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 004D9D82

Part of subcall function 00459944: GetWindowLongW.USER32(?,000000EB), ref: 00459952

GetWindowLongW.USER32(?,000000F0), ref: 004D9E05

Strings

F, xrefs: 004D9D07
p#Q, xrefs: 004D9990
@GUI_DRAGID, xrefs: 004D997D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F$p#Q
API String ID: 3429851547-4150650095
Opcode ID: af580b95b5b5de2486d563454b5c155ffe71697efddc00b5738b3a2f97fd4bef
Instruction ID: 64daf8ab0eedf3fe3ba9a20979cc46aad404fb0de3c89662afcc3d7d5f808a3f
Opcode Fuzzy Hash: af580b95b5b5de2486d563454b5c155ffe71697efddc00b5738b3a2f97fd4bef
Instruction Fuzzy Hash: 1B429830204201AFDB24CF24C8A4AAABBE5FF49314F144A5BF699D73A1D735EC54CB4A

Function 004D4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004D48F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 004D4908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 004D4927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 004D494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004D495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 004D497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 004D49AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 004D49D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 004D4A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004D4A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 004D4A7E
IsMenu.USER32(?), ref: 004D4A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004D4AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004D4B20
GetWindowLongW.USER32(?,000000F0), ref: 004D4B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 004D4BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 004D4C82
wsprintfW.USER32 ref: 004D4CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004D4CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 004D4CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004D4D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004D4D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 004D4D5A

Strings

%d/%02d/%02d, xrefs: 004D4CA8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 6e992a736c9566e7d47fc3dfc042d882cbe6cdd3496ec718db598403946b4a5b
Instruction ID: 052eb20d477470106696892d35da51bc4539191c3dd0a870e5859e0e746cc518
Opcode Fuzzy Hash: 6e992a736c9566e7d47fc3dfc042d882cbe6cdd3496ec718db598403946b4a5b
Instruction Fuzzy Hash: 7412EE71600215ABEB248F29CC59FAF7BE8EF85710F10412BF915EA3E1DB789941CB58

Function 0045F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0045F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0049F474
IsIconic.USER32(00000000), ref: 0049F47D
ShowWindow.USER32(00000000,00000009), ref: 0049F48A
SetForegroundWindow.USER32(00000000), ref: 0049F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0049F4AA
GetCurrentThreadId.KERNEL32 ref: 0049F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0049F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0049F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0049F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0049F4DE
SetForegroundWindow.USER32(00000000), ref: 0049F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F4F6
keybd_event.USER32(00000012,00000000), ref: 0049F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F50B
keybd_event.USER32(00000012,00000000), ref: 0049F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F519
keybd_event.USER32(00000012,00000000), ref: 0049F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0049F528
keybd_event.USER32(00000012,00000000), ref: 0049F52D
SetForegroundWindow.USER32(00000000), ref: 0049F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0049F557

Strings

Shell_TrayWnd, xrefs: 0049F46F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 2c96c3419501d951e3867f08c1930c1c294acd9f6cb125ce3d937806228bc049
Instruction ID: f88722f835e954db8571fdb4e4787251df1f13bcfd49dbcdf8bb5af67dd6f2c6
Opcode Fuzzy Hash: 2c96c3419501d951e3867f08c1930c1c294acd9f6cb125ce3d937806228bc049
Instruction Fuzzy Hash: D9315271A41229BBEF206BB55C89FBF7F6CEB44B50F110077F600E61D1C6B45900EA69

Function 004A1201 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 004A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A170D
Part of subcall function 004A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A173A
Part of subcall function 004A16C3: GetLastError.KERNEL32 ref: 004A174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 004A1286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 004A12A8
CloseHandle.KERNEL32(?), ref: 004A12B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004A12D1
GetProcessWindowStation.USER32 ref: 004A12EA
SetProcessWindowStation.USER32(00000000), ref: 004A12F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004A1310

Part of subcall function 004A10BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004A11FC), ref: 004A10D4
Part of subcall function 004A10BF: CloseHandle.KERNEL32(?,?,004A11FC), ref: 004A10E9

Strings

winsta0, xrefs: 004A12CC
ZP, xrefs: 004A1392
default, xrefs: 004A130B
, xrefs: 004A125A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$ZP
API String ID: 22674027-2560706152
Opcode ID: 47936fb50146e2236261affa4d4c7c4f4e839471c0aea4dbcac36dd3f9cb9600
Instruction ID: 4ef6bd66daae39113fe0447dab13b4eeb5c047484ae28d41d9fa5bf4e65c3333
Opcode Fuzzy Hash: 47936fb50146e2236261affa4d4c7c4f4e839471c0aea4dbcac36dd3f9cb9600
Instruction Fuzzy Hash: 41818F71900209AFDF119FA8DC89FEF7BB9EF19704F14412BF911A62A0D7798944CB29

Function 004A0B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1114
Part of subcall function 004A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1120
Part of subcall function 004A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A112F
Part of subcall function 004A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1136
Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004A0BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004A0C00
GetLengthSid.ADVAPI32(?), ref: 004A0C17
GetAce.ADVAPI32(?,00000000,?), ref: 004A0C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004A0C6D
GetLengthSid.ADVAPI32(?), ref: 004A0C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004A0C8C
HeapAlloc.KERNEL32(00000000), ref: 004A0C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004A0CB4
CopySid.ADVAPI32(00000000), ref: 004A0CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004A0CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004A0D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004A0D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0D45
HeapFree.KERNEL32(00000000), ref: 004A0D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0D55
HeapFree.KERNEL32(00000000), ref: 004A0D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0D65
HeapFree.KERNEL32(00000000), ref: 004A0D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 004A0D78
HeapFree.KERNEL32(00000000), ref: 004A0D7F

Part of subcall function 004A1193: GetProcessHeap.KERNEL32(00000008,004A0BB1,?,00000000,?,004A0BB1,?), ref: 004A11A1
Part of subcall function 004A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004A0BB1,?), ref: 004A11A8
Part of subcall function 004A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004A0BB1,?), ref: 004A11B7

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f4a92d76fbc759de3943edaad951cff41aaef5a99afe4b6ef80c2443c6f8eadb
Instruction ID: 50ff4d7a3227e6681004e9d3dde28ae4e2668233599b94589bb9fcbdea25bb78
Opcode Fuzzy Hash: f4a92d76fbc759de3943edaad951cff41aaef5a99afe4b6ef80c2443c6f8eadb
Instruction Fuzzy Hash: 68717C7290121AABDF10DFE4DC84BEFBBB8BF15310F04452AE914A7291D779A905CBA4

Function 004BEAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(004DCC08), ref: 004BEB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 004BEB37
GetClipboardData.USER32(0000000D), ref: 004BEB43
CloseClipboard.USER32 ref: 004BEB4F
GlobalLock.KERNEL32(00000000), ref: 004BEB87
CloseClipboard.USER32 ref: 004BEB91
GlobalUnlock.KERNEL32(00000000), ref: 004BEBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 004BEBC9
GetClipboardData.USER32(00000001), ref: 004BEBD1
GlobalLock.KERNEL32(00000000), ref: 004BEBE2
GlobalUnlock.KERNEL32(00000000), ref: 004BEC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 004BEC38
GetClipboardData.USER32(0000000F), ref: 004BEC44
GlobalLock.KERNEL32(00000000), ref: 004BEC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 004BEC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004BEC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 004BECD2
GlobalUnlock.KERNEL32(00000000), ref: 004BECF3
CountClipboardFormats.USER32 ref: 004BED14
CloseClipboard.USER32 ref: 004BED59

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 61b65656fe9696539818400f24102ec99e4b267dd2efb1c6acf7686926919075
Instruction ID: cb9edb0f9d8dfdc24c5f90adcaf93bc3293a8e5a8e16f1bb39003e092e0c1037
Opcode Fuzzy Hash: 61b65656fe9696539818400f24102ec99e4b267dd2efb1c6acf7686926919075
Instruction Fuzzy Hash: 2161D5352042029FD300EF26D884FAA77E8EF84714F14456FF456972A2DB79ED05CB6A

Function 004B698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B69BE
FindClose.KERNEL32(00000000), ref: 004B6A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004B6A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004B6A75

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 004B6AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 004B6ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 004B6B32
%4d, xrefs: 004B6BB1
%03d, xrefs: 004B6DA2
%02d, xrefs: 004B6C00, 004B6C0A, 004B6C5A, 004B6CAA, 004B6CFA, 004B6D4A
%4d%02d%02d%02d%02d%02d, xrefs: 004B6B6A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: c363c0295849bf0c4cc9e946a3f6eb4b0a435f6f621e41de5190166f7abc3747
Instruction ID: 08d9f92056e9e0ff60ebf324fe8bfea3ae7a30b2a900b7b186a840d04246ee1f
Opcode Fuzzy Hash: c363c0295849bf0c4cc9e946a3f6eb4b0a435f6f621e41de5190166f7abc3747
Instruction Fuzzy Hash: 32D15471508300AFD710EBA5C881EAFB7ECAF89708F44491EF585D7191EB78DA48CB66

Function 004B9642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 004B9663
GetFileAttributesW.KERNEL32(?), ref: 004B96A1
SetFileAttributesW.KERNEL32(?,?), ref: 004B96BB
FindNextFileW.KERNEL32(00000000,?), ref: 004B96D3
FindClose.KERNEL32(00000000), ref: 004B96DE
FindFirstFileW.KERNEL32(*.*,?), ref: 004B96FA
SetCurrentDirectoryW.KERNEL32(?), ref: 004B974A
SetCurrentDirectoryW.KERNEL32(00506B7C), ref: 004B9768
FindNextFileW.KERNEL32(00000000,00000010), ref: 004B9772
FindClose.KERNEL32(00000000), ref: 004B977F
FindClose.KERNEL32(00000000), ref: 004B978F

Strings

*.*, xrefs: 004B96F5

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 64a08403ef35100dab001cb16dbb1042f888e69fedc40c3c510dd849d0fdbfcd
Instruction ID: 2d6e3261b5430d0b1c313adfd123b2d9035d52d21d7e8120e843c4a1a53ee86f
Opcode Fuzzy Hash: 64a08403ef35100dab001cb16dbb1042f888e69fedc40c3c510dd849d0fdbfcd
Instruction Fuzzy Hash: 3031D67254121AAADF10AFB5DC48ADF77ECAF09320F1041A7FA05E2190EB38DD40CE69

Function 004B979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 004B97BE
FindNextFileW.KERNEL32(00000000,?), ref: 004B9819
FindClose.KERNEL32(00000000), ref: 004B9824
FindFirstFileW.KERNEL32(*.*,?), ref: 004B9840
SetCurrentDirectoryW.KERNEL32(?), ref: 004B9890
SetCurrentDirectoryW.KERNEL32(00506B7C), ref: 004B98AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 004B98B8
FindClose.KERNEL32(00000000), ref: 004B98C5
FindClose.KERNEL32(00000000), ref: 004B98D5

Part of subcall function 004ADAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004ADB00

Strings

*.*, xrefs: 004B983B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 25effaada09f2cf79f6f4a0730f9be0d7f9764c10dcef74d6b921f94fff6a11e
Instruction ID: c46a0bd9bec82e8933d01c2e9f88e7df786e2040ccb854cf229b1396e62fcd36
Opcode Fuzzy Hash: 25effaada09f2cf79f6f4a0730f9be0d7f9764c10dcef74d6b921f94fff6a11e
Instruction Fuzzy Hash: 6531F63150121A6ADF10EFB4DC88ADF77BCAF06324F1441ABEA14A22D0DB39DD44CA79

Function 004CBE44 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CBF3E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 004CBFA9
RegCloseKey.ADVAPI32(00000000), ref: 004CBFCD
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004CC02C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004CC0E7
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CC154
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CC1E9
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 004CC23A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 004CC2E3
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004CC382
RegCloseKey.ADVAPI32(00000000), ref: 004CC38F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 3d1bf050fcffd4c0ae060af73e72215ab9680469c4c896f783d402aefccbaced
Instruction ID: 9b4b10aa3403bdef2ce5843f4c6320f15fc1f54032cd940aee0a37be66c19f10
Opcode Fuzzy Hash: 3d1bf050fcffd4c0ae060af73e72215ab9680469c4c896f783d402aefccbaced
Instruction Fuzzy Hash: 69024B74604200AFD754CF24C8D5E2ABBE5EF49308F18849EE84ACB2A2D735EC46CB56

Function 004B8195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004B8257
SystemTimeToFileTime.KERNEL32(?,?), ref: 004B8267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 004B8273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004B8310
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8324
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004B838C
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8395

Strings

*.*, xrefs: 004B839B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 0a60b571e0bbea3369c1555a5b2c9198bbe78efb7f9586a4378139a33742a6c0
Instruction ID: d5f81797e4bb26360013deb8661023b07000ddcabf7647305d98c7a434bf5c53
Opcode Fuzzy Hash: 0a60b571e0bbea3369c1555a5b2c9198bbe78efb7f9586a4378139a33742a6c0
Instruction Fuzzy Hash: 456159715042059FDB10EF65C88099FB3E8FF89318F04492EF99987251EB39E905CBAA

Function 004AD076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

Part of subcall function 004AE199: GetFileAttributesW.KERNEL32(?,004ACF95), ref: 004AE19A

FindFirstFileW.KERNEL32(?,?), ref: 004AD122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 004AD1DD
MoveFileW.KERNEL32(?,?), ref: 004AD1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 004AD20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 004AD237

Part of subcall function 004AD29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,004AD21C,?,?), ref: 004AD2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 004AD253
FindClose.KERNEL32(00000000), ref: 004AD264

Strings

\*.*, xrefs: 004AD0CD, 004AD0D6, 004AD0EB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5cb9d35a859dec2acf2bcccefaeb065b12b660aa668669ab1fa237393b075905
Instruction ID: cff0d65d32c91f37052c70ad8ffb8b1b9073b07fd83be28c0a996b957a53fdec
Opcode Fuzzy Hash: 5cb9d35a859dec2acf2bcccefaeb065b12b660aa668669ab1fa237393b075905
Instruction Fuzzy Hash: 63616E31C0110D9ADF05EFE1D9929EEB7B5AF26304F2441ABE40277192EB385F09DB69

Function 004BED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004BED91
EmptyClipboard.USER32 ref: 004BED97
GlobalAlloc.KERNEL32(00000002,?), ref: 004BEDAC
CloseClipboard.USER32 ref: 004BEEA3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: cb31124a94256a937254f6cb9291daaa3e726c6fe8e85539d1ac54643ab72c6a
Instruction ID: 9a8808c59838e27519d9a6a13f6fe0483ef079ae26af87374b834764228263e2
Opcode Fuzzy Hash: cb31124a94256a937254f6cb9291daaa3e726c6fe8e85539d1ac54643ab72c6a
Instruction Fuzzy Hash: C441B335605612DFE710CF16D488B9ABBE5EF84318F14C49EE4158B762C779EC42CB98

Function 004AE8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004A16C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A170D
Part of subcall function 004A16C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A173A
Part of subcall function 004A16C3: GetLastError.KERNEL32 ref: 004A174A

ExitWindowsEx.USER32(?,00000000), ref: 004AE932

Strings

SeShutdownPrivilege, xrefs: 004AE902
, xrefs: 004AE920
@, xrefs: 004AE925
, xrefs: 004AE95C

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 050975a779c5ebe80bcdeea3695fbf811a11be5d26198dde3b3934f90b6eeb40
Instruction ID: ca0aa5977972a2945417739287e0a2b33b7b509814f77121c523c5e66c9cfea7
Opcode Fuzzy Hash: 050975a779c5ebe80bcdeea3695fbf811a11be5d26198dde3b3934f90b6eeb40
Instruction Fuzzy Hash: BA0149B2610311ABEB5422B69CC6FFF735CAB36744F140827FC23E21E2D5A85C4081AC

Function 004C1204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004C1276
WSAGetLastError.WSOCK32 ref: 004C1283
bind.WSOCK32(00000000,?,00000010), ref: 004C12BA
WSAGetLastError.WSOCK32 ref: 004C12C5
closesocket.WSOCK32(00000000), ref: 004C12F4
listen.WSOCK32(00000000,00000005), ref: 004C1303
WSAGetLastError.WSOCK32 ref: 004C130D
closesocket.WSOCK32(00000000), ref: 004C133C

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 6182f361b3cd93ad6dc1b74a03d1f51efe6f48379c13b6a4be2312af0319150f
Instruction ID: f49ccbe191fca1e620a128b104f316d41cb35b39cb7e37abce409d4f2c0fda02
Opcode Fuzzy Hash: 6182f361b3cd93ad6dc1b74a03d1f51efe6f48379c13b6a4be2312af0319150f
Instruction Fuzzy Hash: F9418F396001419FD710EF24C484F2ABBE5AF46318F18819EE8569F3A3C775EC82CBA5

Function 0047B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0047B9D4
_free.LIBCMT ref: 0047B9F8
_free.LIBCMT ref: 0047BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004E3700), ref: 0047BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0051121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0047BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00511270,000000FF,?,0000003F,00000000,?), ref: 0047BC36
_free.LIBCMT ref: 0047BD4B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 8e1db44aba4dbd8a39b652bdd44a59f188194efdb802ec48d1e023534d86e4a1
Instruction ID: e2b1b7bce0aef71e798de697c13b33754dc6b644440be7dc1f211a688b6738ba
Opcode Fuzzy Hash: 8e1db44aba4dbd8a39b652bdd44a59f188194efdb802ec48d1e023534d86e4a1
Instruction Fuzzy Hash: 90C126719002059ECB21AF7A8841BEE7BA8EF41314F14C19FE998D7355E7389E45C7D8

Function 004AD3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

Part of subcall function 004AE199: GetFileAttributesW.KERNEL32(?,004ACF95), ref: 004AE19A

FindFirstFileW.KERNEL32(?,?), ref: 004AD420
DeleteFileW.KERNEL32(?,?,?,?), ref: 004AD470
FindNextFileW.KERNEL32(00000000,00000010), ref: 004AD481
FindClose.KERNEL32(00000000), ref: 004AD498
FindClose.KERNEL32(00000000), ref: 004AD4A1

Strings

\*.*, xrefs: 004AD3F2

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 746e1e5927926c2131ea953aab68af40e5337e15fabf934bd40d95607d3d286a
Instruction ID: 145dcb8f270e433ba245c478ff2e4763219597943d0ec8071836fb5b320bd47f
Opcode Fuzzy Hash: 746e1e5927926c2131ea953aab68af40e5337e15fabf934bd40d95607d3d286a
Instruction Fuzzy Hash: A23170714093459FD300EF65C8958AF77E8BEA6308F444A2FF4D252191EB38AA09D76B

Function 0047E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0047E645

Strings

1#QNAN, xrefs: 0047F84B
1#INF, xrefs: 0047F852
1#SNAN, xrefs: 0047F844
1#IND, xrefs: 0047F83D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a0de21213f5cf7abcf65a7a2bda5058181ae3d5bc3ddbff23fed64a013242043
Instruction ID: 8dcbe4e9207542078225243c03963ee1ae5ae4f73a0883c59df728faff92c267
Opcode Fuzzy Hash: a0de21213f5cf7abcf65a7a2bda5058181ae3d5bc3ddbff23fed64a013242043
Instruction Fuzzy Hash: AFC26B71E086288FDB25CE29DD407EAB7B5EB48304F1482EBD44DE7241E778AE858F45

Function 004B648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004B64DC
CoInitialize.OLE32(00000000), ref: 004B6639
CoCreateInstance.OLE32(004DFCF8,00000000,00000001,004DFB68,?), ref: 004B6650
CoUninitialize.OLE32 ref: 004B68D4

Strings

.lnk, xrefs: 004B64BA, 004B6524, 004B65E0

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 213772d98bd8d1be93f2b1bf7ea7574ca3ac51f3d883f1a3fbd67f12e19a2b04
Instruction ID: 6c9e46e7acd14678c83d22e1199419d016a42d448032a77a247b83ba3f525706
Opcode Fuzzy Hash: 213772d98bd8d1be93f2b1bf7ea7574ca3ac51f3d883f1a3fbd67f12e19a2b04
Instruction Fuzzy Hash: 2ED15B71508201AFD314EF25C881DABB7E8FF94708F04496EF5958B291DB39ED09CBA6

Function 004C22DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 004C22E8

Part of subcall function 004BE4EC: GetWindowRect.USER32(?,?), ref: 004BE504

GetDesktopWindow.USER32 ref: 004C2312
GetWindowRect.USER32(00000000), ref: 004C2319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 004C2355
GetCursorPos.USER32(?), ref: 004C2381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 004C23DF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 620644b46a6a235571655573603c2e2a31f4b6c7beb1b1eba2b3c983fbac519a
Instruction ID: 6f5dc6e87b7da2aba1958237f372b1b0007947b8f0c2d529896f0d2f3889a826
Opcode Fuzzy Hash: 620644b46a6a235571655573603c2e2a31f4b6c7beb1b1eba2b3c983fbac519a
Instruction Fuzzy Hash: FB31E172105356ABC720DF25D944F5BB7A9FF84714F00091EF88497191DBB8EA08CB9A

Function 004B9B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 004B9B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 004B9C8B

Part of subcall function 004B3874: GetInputState.USER32 ref: 004B38CB
Part of subcall function 004B3874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B3966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 004B9BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 004B9C75

Strings

*.*, xrefs: 004B9B5D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 7c68bea77686cb95ad6c508d2c173a8bbff9e98e7c198c8fbd89777181547d06
Instruction ID: 4b7053a2198dd30107d63513f9a4b389f9583375d4870dda12204cc50f3378a1
Opcode Fuzzy Hash: 7c68bea77686cb95ad6c508d2c173a8bbff9e98e7c198c8fbd89777181547d06
Instruction Fuzzy Hash: E841927194420A9FDF14DFA5C889AEE7BB4FF05304F20415BE905A3291EB349E44CF69

Function 00448060 Relevance: 8.7, Strings: 6, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 004483FA
_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 00485DB2
VUUU, xrefs: 004483E8
VUUU, xrefs: 00485DF0
VUUU, xrefs: 0044843C
ERCP, xrefs: 0044813C

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU$_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
API String ID: 0-2009957334
Opcode ID: cb6adf192747e53a505bdfa5e1557018285033fe579242bfe96d776d19a274ba
Instruction ID: f10700c030a0d8f6ca489324b740d40c7d5060f82b49e24b6534beaa3f25f472
Opcode Fuzzy Hash: cb6adf192747e53a505bdfa5e1557018285033fe579242bfe96d776d19a274ba
Instruction Fuzzy Hash: E7A29E70E0021ACBEF24DF58C9407AEB7B1BB54314F2585ABD815A7385EB389D81CF99

Function 0045997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00459A4E
GetSysColor.USER32(0000000F), ref: 00459B23
SetBkColor.GDI32(?,00000000), ref: 00459B36

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: c8e1d9bb8896fe0a29252374b0c5388dea8bb646f2ae51cda68421c5da6451e8
Instruction ID: a769b2526b0f3423d8617dcbd3c25ae1f206f6a67a00637a5ce6b4860b2511a2
Opcode Fuzzy Hash: c8e1d9bb8896fe0a29252374b0c5388dea8bb646f2ae51cda68421c5da6451e8
Instruction Fuzzy Hash: 21A10CB0118584FEEB249B3D8C58D7B2A9DEB42315B14415FF902C6793CA2D9D0AD37E

Function 004C1806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C307A
Part of subcall function 004C304E: _wcslen.LIBCMT ref: 004C309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 004C185D
WSAGetLastError.WSOCK32 ref: 004C1884
bind.WSOCK32(00000000,?,00000010), ref: 004C18DB
WSAGetLastError.WSOCK32 ref: 004C18E6
closesocket.WSOCK32(00000000), ref: 004C1915

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: cba365f0952fa2a33da7fd7fdb862550f40bbab53b3251aea053aeb02d622f2c
Instruction ID: 79161794ab389f961765496263c9464a40fbc2d36891ce4822dcb9f83d2803a7
Opcode Fuzzy Hash: cba365f0952fa2a33da7fd7fdb862550f40bbab53b3251aea053aeb02d622f2c
Instruction Fuzzy Hash: 5151D475A00210AFEB10AF25C886F2AB7E5AB45718F08849EF9055F3D3C779AD41CBA5

Function 004D1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004D1CC0
IsWindowEnabled.USER32 ref: 004D1CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 004D1CDB
IsIconic.USER32 ref: 004D1CE9
IsZoomed.USER32 ref: 004D1CF7

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 4a28e2003497474c65e7cb1cb4467127c1f0e37e68ece04905e6b9fc34f83e8e
Instruction ID: 86388c739614773bb25f5934ce8a216e1e35d63ebd2a414dd1bd4011350cc9d1
Opcode Fuzzy Hash: 4a28e2003497474c65e7cb1cb4467127c1f0e37e68ece04905e6b9fc34f83e8e
Instruction Fuzzy Hash: D821E1317512016FE7208F1AC8A4B2B7BA5EF95714B18806FEC468B361C779EC42CB98

Function 004A8298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 004A82AA

Strings

tbP, xrefs: 004A84F4
(, xrefs: 004A82F0
|, xrefs: 004A82DA

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($tbP$|
API String ID: 1659193697-2761516067
Opcode ID: 0fd0be99b777121b6e949ddddba5ba5fa94b4dc347cf717fe85d812e6be26c3c
Instruction ID: 69d7f5566fb06c8a5ab7c1fbaf37613f4551fb94c5e7aaeca647bcc025975ec4
Opcode Fuzzy Hash: 0fd0be99b777121b6e949ddddba5ba5fa94b4dc347cf717fe85d812e6be26c3c
Instruction Fuzzy Hash: D0323575A007059FCB28CF19C481AAAB7F0FF58710B15C46EE89ADB7A1EB74E941CB44

Function 004AAA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 004AAAAC
SetKeyboardState.USER32(00000080), ref: 004AAAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 004AAB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 004AAB88

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 393f763a0f08acccd2a654ed62987e57158ee0a165acc84aeada6961e13328b9
Instruction ID: 8e7d1b8e525c319f95547b8536ad6cd9e77904bf4ed525cd6533020fca1ada7a
Opcode Fuzzy Hash: 393f763a0f08acccd2a654ed62987e57158ee0a165acc84aeada6961e13328b9
Instruction Fuzzy Hash: 55311A30A40208AEFF35CA65CC05BFB77A6AB66310F04421BF281562D1D37DA9A1C77B

Function 004BCE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 004BCE89
GetLastError.KERNEL32(?,00000000), ref: 004BCEEA
SetEvent.KERNEL32(?,?,00000000), ref: 004BCEFE

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: c0bdeb0c09f95187de3a5cb4977af6287fc788917690e76739e7e6d7b2771ea5
Instruction ID: f70a88988bee3ec56d67319b1ae0f0a43165593dbd1c17a93eda1c1a78fb3b62
Opcode Fuzzy Hash: c0bdeb0c09f95187de3a5cb4977af6287fc788917690e76739e7e6d7b2771ea5
Instruction Fuzzy Hash: D0219071900306DBDB20DFA5C9C4BA777F8EB50358F10446FE64692291E778EE05CBA8

Function 004B5C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B5CC1
FindNextFileW.KERNEL32(00000000,?), ref: 004B5D17
FindClose.KERNEL32(?), ref: 004B5D5F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b63c7d37f5b286415ee9b9ee0d7bcc3329cf157656812be59343d0b9da2a6435
Instruction ID: ccc54f9bf8c37d61d82734e949b1d6b8d3daecfe0a3c20b09bce5c7a415deb5d
Opcode Fuzzy Hash: b63c7d37f5b286415ee9b9ee0d7bcc3329cf157656812be59343d0b9da2a6435
Instruction Fuzzy Hash: C85199746046019FC714CF28C494A9AF7E8FF49318F14865EE95A8B3A1CB38E805CFA5

Function 00472622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0047271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00472724
UnhandledExceptionFilter.KERNEL32(?), ref: 00472731

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7d4e3d22d90d11a4ee2985b7d334f5c23de2facf79ce3387ed4ea10d1cb66eb1
Instruction ID: 28f071ad4f1babb1f099a063dc92ea61c6072b39347d3cfc56bbc9250eb4787e
Opcode Fuzzy Hash: 7d4e3d22d90d11a4ee2985b7d334f5c23de2facf79ce3387ed4ea10d1cb66eb1
Instruction Fuzzy Hash: 1631D774911218ABCB21DF65DD887DDB7B8AF18310F5042EAE80CA7260E7749F818F49

Function 004B51CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B51DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 004B5238
SetErrorMode.KERNEL32(00000000), ref: 004B52A1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: cdbd693e74c7232cb2102cfb070e97a9cfcf4d97414355a63665a87f50e70595
Instruction ID: 940baa1ac59d749553be5c5b50a2ea5c27eca56093f50f6013228dc2fd246cd3
Opcode Fuzzy Hash: cdbd693e74c7232cb2102cfb070e97a9cfcf4d97414355a63665a87f50e70595
Instruction Fuzzy Hash: AF314D75A005189FDB00DF55D8C4EAEBBB4FF49318F0880AAE8059B392DB35E856CB64

Function 004A16C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0045FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00460668
Part of subcall function 0045FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00460685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 004A170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 004A173A
GetLastError.KERNEL32 ref: 004A174A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 0f11da44a277ff718f8e8892d2ae51984b121a5c82ffb918ce83db6989593336
Instruction ID: 18756058707eb33a4139721e211ff357e0f21e1e2187966009e77c0f41b01df8
Opcode Fuzzy Hash: 0f11da44a277ff718f8e8892d2ae51984b121a5c82ffb918ce83db6989593336
Instruction Fuzzy Hash: B1110EB2400305BFDB18AF54DCC6D6BB7B8EB04714B20802FE44697251EB74BC49CA68

Function 004AD5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004AD608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 004AD645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 004AD650

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 063c19c5fe73ecc65e753ff446bd1c8eaeef757a7c66cde7e75fe5170240318a
Instruction ID: 1b06602acabd91302bb7a19b2fa79abae2ef08d1ac39c317b042863b07e3cfa6
Opcode Fuzzy Hash: 063c19c5fe73ecc65e753ff446bd1c8eaeef757a7c66cde7e75fe5170240318a
Instruction Fuzzy Hash: 9B118E71E05228BFDB108F94DC84FAFBBBCEB45B50F108122F904E7290C2704A018BA5

Function 004A1663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004A168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 004A16A1
FreeSid.ADVAPI32(?), ref: 004A16B1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 1713f0045b3441dfef9c97bec3945816b432b11155af7f3a979fc71d8bd7ad34
Instruction ID: efb30fc0a20b45eed527dd684e767c35939fcd3f2204346ed93ee6cb300e5277
Opcode Fuzzy Hash: 1713f0045b3441dfef9c97bec3945816b432b11155af7f3a979fc71d8bd7ad34
Instruction Fuzzy Hash: F5F0F471951309FBDF00DFE49C89EAEBBBCEB08604F504566E501E2191E774AA448A54

Function 0047C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0047C36C

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 762765badb5e19bac5fc370a3e19a43475dd49fc8e4582e507edd1e5226c6316
Instruction ID: 425a93638850e31272153f82599cf4ef9329110947935952f2981655d4b2256e
Opcode Fuzzy Hash: 762765badb5e19bac5fc370a3e19a43475dd49fc8e4582e507edd1e5226c6316
Instruction Fuzzy Hash: 9B4128729006196BCB209FB9CC88DFB7778EB84314F1082AEF909D7280E6749D418B58

Function 0049D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0049D28C

Strings

X64, xrefs: 0049D2A8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: d6dc960ca8bcb437f1ff6db050a11f8e1edffbf385c6d79b1f03a21f73e3b455
Instruction ID: 734f1a1bde815913a2b2a7cc941b9f8216ad4db7586b15f7583691761827c3a3
Opcode Fuzzy Hash: d6dc960ca8bcb437f1ff6db050a11f8e1edffbf385c6d79b1f03a21f73e3b455
Instruction Fuzzy Hash: C2D0C9B480111DEACF90CB90DCC8DD9B77CBB04305F1001A2F506A2080D73495498F14

Function 0046CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a49604b0a8cf665cd8463bd6c77995f2e619b4941bd74f44c5c4f825e86613b3
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A7023C71E002199BDF14CFA9C9C06AEBBF1EF48314F25816AD859E7380E735AA418B95

Function 0044CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#Q, xrefs: 0044CF7F
Variable is not of type 'Object'., xrefs: 00490C40

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#Q
API String ID: 0-1304417871
Opcode ID: 72653585e873e706e7c88c44d5dea577cfcde5421ddb59ad650f663b90954c7a
Instruction ID: 4955907399058fe4d64edbb02d34fbc17f64c634521836ccf98309f09a2f46af
Opcode Fuzzy Hash: 72653585e873e706e7c88c44d5dea577cfcde5421ddb59ad650f663b90954c7a
Instruction Fuzzy Hash: E1326F74901218DFEF54DF90C8C5AEEBBB5BF14308F14406AE8066B392D739AD4ACB59

Function 004B68EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 004B6918
FindClose.KERNEL32(00000000), ref: 004B6961

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: af92655b3322d1b5549dcb8228fc9764045ac3413b019154beefe881e7c7bbba
Instruction ID: d5ec47cf6335c2765dda0dd5d156a17e05789ea9ca22c3413d45d5f0878e129f
Opcode Fuzzy Hash: af92655b3322d1b5549dcb8228fc9764045ac3413b019154beefe881e7c7bbba
Instruction Fuzzy Hash: 8811B1716042019FD710CF29C4C4A16BBE1EF84328F05C6AEE8698F3A2C738EC05CB95

Function 004B37B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,004C4891,?,?,00000035,?), ref: 004B37E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,004C4891,?,?,00000035,?), ref: 004B37F4

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0892ca4af0aa6a53fc10d59b5f68f3d420aaaa24f4efa768e619d84cfbbc5cd2
Instruction ID: 81dfd3efca53ddf08967eff486ac09601e485db0ee064c2cf052da5bbdd0c69f
Opcode Fuzzy Hash: 0892ca4af0aa6a53fc10d59b5f68f3d420aaaa24f4efa768e619d84cfbbc5cd2
Instruction Fuzzy Hash: 3FF0EC706052256AE71017675C8DFDB775DDFC4765F000577F509D2291D9605D04C7F4

Function 004AB226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 004AB25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 004AB270

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 5abf8465ea6a1a11bde4c4e0748bbef99b66824f34951d6cf3147f2e208533e4
Instruction ID: fba9bd707d67451d49d0367afa86847768372b964fff45d4700d97e3dfce5943
Opcode Fuzzy Hash: 5abf8465ea6a1a11bde4c4e0748bbef99b66824f34951d6cf3147f2e208533e4
Instruction Fuzzy Hash: A6F01D7180424EABDB059FA0C809BAE7BB4FF05305F00805AF955A5192C3798611DF98

Function 004A10BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,004A11FC), ref: 004A10D4
CloseHandle.KERNEL32(?,?,004A11FC), ref: 004A10E9

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3a8a8e0bb8e78fff536bf47c3c629bfc24710dd4f5f2bcf4f4eb4f11c09daf2b
Instruction ID: 7e87f6b1aaf0d90fb2dfc146f92f1287e2f8313f7cb78d2a704a0ff2f28c7937
Opcode Fuzzy Hash: 3a8a8e0bb8e78fff536bf47c3c629bfc24710dd4f5f2bcf4f4eb4f11c09daf2b
Instruction Fuzzy Hash: 28E04F32008601AEE7252B51FC06E7377A9EB04311F10882FF8A6804B1DB626C94DB58

Function 0047676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00476766,?,?,00000008,?,?,0047FEFE,00000000), ref: 00476998

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f2d0a9e7514656bcdf37d7beef9a264231cc127ae6c6b84a58fff82df2ee4af7
Instruction ID: 0378190187dc7540a1275503067bb9a54484b0a429184b369f2932314014023a
Opcode Fuzzy Hash: f2d0a9e7514656bcdf37d7beef9a264231cc127ae6c6b84a58fff82df2ee4af7
Instruction Fuzzy Hash: 13B16B71510A089FD718CF28C486BA57BA1FF05364F26C659E89DCF2A2C339D986CB45

Function 0045B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0049851F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 06aeeffad057c82e5f8018c2af3c97d9e30c15b5c5716d1716248d577b0f74cd
Instruction ID: ad2cf314a3b34f329804843ce6f97904ddb43e39242f8db7c5060f0fc8213c2d
Opcode Fuzzy Hash: 06aeeffad057c82e5f8018c2af3c97d9e30c15b5c5716d1716248d577b0f74cd
Instruction Fuzzy Hash: 581251719002199BDF24CF58C8806EEB7B5FF49710F1481ABE849EB252DB389A85CF95

Function 004BEAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 004BEABD

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: a031c8407f6b3e76bb3b2c616f91292d481c70bf7d3cb68f28ce2bbd866a8027
Instruction ID: baf6dfd076fc7403a12d4b4a14966c8bb1ccb9d47327505adec3b2de9af79efe
Opcode Fuzzy Hash: a031c8407f6b3e76bb3b2c616f91292d481c70bf7d3cb68f28ce2bbd866a8027
Instruction Fuzzy Hash: E0E01A31200204AFD710EF6AD844E9AF7EDAF98764F00842BFC49C7391DA78E8418BA5

Function 004609D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,004603EE), ref: 004609DA

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f12016c38cd83bc85ca92b9f46b1829e9d0f31041dade312c7c54414380f6ff3
Instruction ID: 8769f1eebe6eedeba84163d246e6da1af2c11fc35e9b854ab28933c19d62ad36
Opcode Fuzzy Hash: f12016c38cd83bc85ca92b9f46b1829e9d0f31041dade312c7c54414380f6ff3
Instruction Fuzzy Hash:

Function 0046781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0046798B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 53903b253fd0543935c4c6df2e76f2c87a8f1ce5777cb161b363507de66416eb
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: E25137A160C70556EB38A67988997BF27D59B0234CF180A0FD882D7382F61DDE4AD35F

Function 004B2046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&Q, xrefs: 004B2053

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: 0&Q
API String ID: 0-77127364
Opcode ID: 57d0dc16a6607aa39f716888c42bb00535cda9f6029d3bb7e4ce430f868e2549
Instruction ID: 1b50203392b4f2da0cd0a0bd67a3b99b7fbd7eefba1e9b7c4f6edad1624c2e9c
Opcode Fuzzy Hash: 57d0dc16a6607aa39f716888c42bb00535cda9f6029d3bb7e4ce430f868e2549
Instruction Fuzzy Hash: 69210A323206118BD728CF79C9236BE73E5A764310F148A2EE4A7C33D0DE79A904DB94

Function 00476DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a7e30eba3cd2d7fdf627b3e64d4042bd8ed711840f516f1fcf975a0ac8fe123
Instruction ID: 4637db1ee3c7294b1be8df48d5a901ef34a8a28ce6b9cf6155db6647c8bcba82
Opcode Fuzzy Hash: 1a7e30eba3cd2d7fdf627b3e64d4042bd8ed711840f516f1fcf975a0ac8fe123
Instruction Fuzzy Hash: 7F326522D29F414DD7239638CD62336A64DAFB33C4F55C737E81AB9EA6EB68C4834104

Function 0045CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be3cd205b16f4bcd6f25a78db92e6547c60c4971a0def328187b086d953b474
Instruction ID: d74e644c32553d6df23c73f437fdfad0e03b64778444c32f5175f0e27aa1f299
Opcode Fuzzy Hash: 4be3cd205b16f4bcd6f25a78db92e6547c60c4971a0def328187b086d953b474
Instruction Fuzzy Hash: 0232F132A002458FDF29CE29C4D467E7FA1EB45305F28857BD85A8B392D23CDD86DB49

Function 00447920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4100fbcf1211b1a41dac1f6717f282c5cd4c720513f6a3dd10f278ffc847bf57
Instruction ID: ff10ccb107c76f1cb4ed4dfef90ef5e0256d7fbb2f51c2addd56fa35d9cc58ac
Opcode Fuzzy Hash: 4100fbcf1211b1a41dac1f6717f282c5cd4c720513f6a3dd10f278ffc847bf57
Instruction Fuzzy Hash: 2D22D2B0A00609DFEF14DF65C881AAEB3F5FF44304F14452AE816E7291EB39AD16CB59

Function 004491C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669538cbf13a1aedf00c1f19660565d2f49c1f2f85ff74e9a7792d1677d0fc48
Instruction ID: 5a4fb86a5b3acd1c285fc18b7411f9743ac50aadd3a1c678aa753ea5cede3d0f
Opcode Fuzzy Hash: 669538cbf13a1aedf00c1f19660565d2f49c1f2f85ff74e9a7792d1677d0fc48
Instruction Fuzzy Hash: ED02D6B0E00105EBDB04EF55D881AAEB7B5FF44304F10856AE806DB391EB39EE15DB89

Function 00479EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f9855cd8d10b4e70cde71cbc9636ea55ecfe4763fdc24702db31d1a750de13e
Instruction ID: d8996e45673a419eaa9a08446e3d471eae6bdf47ee7dada0f54b1a1ad81ce26e
Opcode Fuzzy Hash: 5f9855cd8d10b4e70cde71cbc9636ea55ecfe4763fdc24702db31d1a750de13e
Instruction Fuzzy Hash: B4B12630D2AF804DD3239A398875336B65CAFBB6C6F51D72BFC1679D62EB2185834144

Function 00461C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 3343b3b88fa119a55e0a7cddb3b6427d3b1ce1e4f5666fef1197bface83dddaa
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: A89178725080E34ADB2D463A857443FFFE15A523A131E079FD4F2CA2E1FE18D958E626

Function 004619B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 4179e4ad15eb78a35a3124924815861f9fe2ec59f9ebd0cd56f825dc8297d203
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 939186722090E34ADB2D427A857403FFFE15A927A231D079FD4F2CA2E1FD189558E626

Function 00467A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a935f6750f7082111288e6c91574ec828df002cf409219750c78b3cd325f24
Instruction ID: f9b0e94c949542d76cdd522a58dae2fd0269ae6099d9eb58a6f4f594febf9451
Opcode Fuzzy Hash: e9a935f6750f7082111288e6c91574ec828df002cf409219750c78b3cd325f24
Instruction Fuzzy Hash: 4D61697120870956DA349A6888A5BBF3394DF41B4CF140A1FE842DB382FA5DAE42C71F

Function 00467CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cb14924b63c72a23d706e4c502b4b8e40a787c1a035894fe8435258c080ee7
Instruction ID: 5b7482d8300e428b0e347fc3a4e5288de62faedfa84c3b2d05207cf2a7c48649
Opcode Fuzzy Hash: 59cb14924b63c72a23d706e4c502b4b8e40a787c1a035894fe8435258c080ee7
Instruction Fuzzy Hash: B261797160870966DB388A289891BBF23849F4274CF100D5FE943DB381FA1E9D46835F

Function 00461706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: bbe3e50b3ba7076f783f5d83efee7e301d39d003d11c23f799106d78cff09464
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 898167725090E309DB5D463A857443FFFE15A923A231E079FD4F2CB2E1FD188558E626

Function 004C2ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004C2B30
DeleteObject.GDI32(00000000), ref: 004C2B43
DestroyWindow.USER32 ref: 004C2B52
GetDesktopWindow.USER32 ref: 004C2B6D
GetWindowRect.USER32(00000000), ref: 004C2B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 004C2CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 004C2CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2CF8
GetClientRect.USER32(00000000,?), ref: 004C2D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 004C2D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D80
GlobalLock.KERNEL32(00000000), ref: 004C2D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2D98
GlobalUnlock.KERNEL32(00000000), ref: 004C2DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2DA8
GlobalFree.KERNEL32(00000000), ref: 004C2DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,004DFC38,00000000), ref: 004C2DDB
GlobalFree.KERNEL32(00000000), ref: 004C2DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 004C2E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 004C2E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C2E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 004C303F

Strings

static, xrefs: 004C2D3A, 004C2E91
AutoIt v3, xrefs: 004C2CF2
DISPLAY, xrefs: 004C2EA2
, xrefs: 004C2FC5

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ede97e680ecaacca52f5cf8b772ef30215e1e7789bf0afde78fc4f918de1e6f0
Instruction ID: b113b5b381bce7ef4e4d4482505129303358bef4fef47705c3c1614cf89de3ab
Opcode Fuzzy Hash: ede97e680ecaacca52f5cf8b772ef30215e1e7789bf0afde78fc4f918de1e6f0
Instruction Fuzzy Hash: 6202AD75900219AFDB14DF64CD89EAE7BB9EB48314F00855EF915AB2A0CB74ED01CB68

Function 004D70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 004D712F
GetSysColorBrush.USER32(0000000F), ref: 004D7160
GetSysColor.USER32(0000000F), ref: 004D716C
SetBkColor.GDI32(?,000000FF), ref: 004D7186
SelectObject.GDI32(?,?), ref: 004D7195
InflateRect.USER32(?,000000FF,000000FF), ref: 004D71C0
GetSysColor.USER32(00000010), ref: 004D71C8
CreateSolidBrush.GDI32(00000000), ref: 004D71CF
FrameRect.USER32(?,?,00000000), ref: 004D71DE
DeleteObject.GDI32(00000000), ref: 004D71E5
InflateRect.USER32(?,000000FE,000000FE), ref: 004D7230
FillRect.USER32(?,?,?), ref: 004D7262
GetWindowLongW.USER32(?,000000F0), ref: 004D7284

Part of subcall function 004D73E8: GetSysColor.USER32(00000012), ref: 004D7421
Part of subcall function 004D73E8: SetTextColor.GDI32(?,?), ref: 004D7425
Part of subcall function 004D73E8: GetSysColorBrush.USER32(0000000F), ref: 004D743B
Part of subcall function 004D73E8: GetSysColor.USER32(0000000F), ref: 004D7446
Part of subcall function 004D73E8: GetSysColor.USER32(00000011), ref: 004D7463
Part of subcall function 004D73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 004D7471
Part of subcall function 004D73E8: SelectObject.GDI32(?,00000000), ref: 004D7482
Part of subcall function 004D73E8: SetBkColor.GDI32(?,00000000), ref: 004D748B
Part of subcall function 004D73E8: SelectObject.GDI32(?,?), ref: 004D7498
Part of subcall function 004D73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 004D74B7
Part of subcall function 004D73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004D74CE
Part of subcall function 004D73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 004D74DB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 9d740a59ad9769975c5c43a939dfa942f2fec4fbf76494d0e60ed44d778bd865
Instruction ID: bc57eb5a331f874e6a3c7fb9b84825649343014f27a923318a245a8af5d93b3c
Opcode Fuzzy Hash: 9d740a59ad9769975c5c43a939dfa942f2fec4fbf76494d0e60ed44d778bd865
Instruction Fuzzy Hash: 60A1A372009312BFDB019F60DC98A5FBBA9FB49320F100B2BF962962E1D734D945CB56

Function 00458D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00458E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00496AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00496AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00496F43

Part of subcall function 00458F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00458BE8,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 00458FC5

SendMessageW.USER32(?,00001053), ref: 00496F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00496F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00496FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00496FB7

Strings

0, xrefs: 00496DCF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 8bf8d7994af29f11acc6eb56cb45820537962997ddabdb0e9e05a1741c6da335
Instruction ID: 34725f0324fea6d8e91ce1641199166278bb709c24b229043e517bd5c56bd604
Opcode Fuzzy Hash: 8bf8d7994af29f11acc6eb56cb45820537962997ddabdb0e9e05a1741c6da335
Instruction Fuzzy Hash: C112CC30201611AFCB21CF24C895BAABBF1FB44301F15817EF995DB262CB39E856DB59

Function 004C2711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004C273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004C286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 004C28A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 004C28B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 004C2900
GetClientRect.USER32(00000000,?), ref: 004C290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 004C2955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004C2964
GetStockObject.GDI32(00000011), ref: 004C2974
SelectObject.GDI32(00000000,00000000), ref: 004C2978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 004C2988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004C2991
DeleteDC.GDI32(00000000), ref: 004C299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004C29C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 004C29DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 004C2A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 004C2A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 004C2A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 004C2A77
GetStockObject.GDI32(00000011), ref: 004C2A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004C2A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 004C2A97

Strings

static, xrefs: 004C294F, 004C2A71
AutoIt v3, xrefs: 004C28F8
msctls_progress32, xrefs: 004C2A13
DISPLAY, xrefs: 004C295A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: a0570d5f210081e0a53705d712b3d3169aa01c6b20dd9ce8ab68fff318a7d4af
Instruction ID: abfd03025e7fd1e7acbd8d4a2ba50739fbb682fe9c819363f75a4a247877d31e
Opcode Fuzzy Hash: a0570d5f210081e0a53705d712b3d3169aa01c6b20dd9ce8ab68fff318a7d4af
Instruction Fuzzy Hash: C1B16F75A00615BFEB14DF68CD85FAE7BA9EB04714F00855AFA14E7290D7B4ED00CBA8

Function 004B4ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B4AED
GetDriveTypeW.KERNEL32(?,004DCB68,?,\\.\,004DCC08), ref: 004B4BCA
SetErrorMode.KERNEL32(00000000,004DCB68,?,\\.\,004DCC08), ref: 004B4D36

Strings

ATAPI, xrefs: 004B4C91
Virtual, xrefs: 004B4CE5
Removable, xrefs: 004B4C10, 004B4C15
CDROM, xrefs: 004B4BFB
SCSI, xrefs: 004B4C8A
ATA, xrefs: 004B4C98
Unknown, xrefs: 004B4BED, 004B4C83
1394, xrefs: 004B4C9F
Network, xrefs: 004B4C02
RAID, xrefs: 004B4CBB
SSD, xrefs: 004B4C4A
\\.\, xrefs: 004B4B3F
USB, xrefs: 004B4CB4
MMC, xrefs: 004B4CDE
PhysicalDrive, xrefs: 004B4B76
SSA, xrefs: 004B4CA6
SATA, xrefs: 004B4CD0
Fixed, xrefs: 004B4C09
Fibre, xrefs: 004B4CAD
RAMDisk, xrefs: 004B4BF4
SAS, xrefs: 004B4CC9
iSCSI, xrefs: 004B4CC2
FileBackedVirtual, xrefs: 004B4CEC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: bbc78320d4c7a8e51213a92bd792d9330ca6aff3336bb933a31dc2945f1f87ee
Instruction ID: 27b65e6b2ab6cfef94a938956f02251ba264796e8b788333bb70e32f7af41407
Opcode Fuzzy Hash: bbc78320d4c7a8e51213a92bd792d9330ca6aff3336bb933a31dc2945f1f87ee
Instruction Fuzzy Hash: 5B61C2316051069BDB04DF24C9829BD7FB0BB84B04B21401BF806AB693DB3DED56DB7A

Function 004D73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 004D7421
SetTextColor.GDI32(?,?), ref: 004D7425
GetSysColorBrush.USER32(0000000F), ref: 004D743B
GetSysColor.USER32(0000000F), ref: 004D7446
CreateSolidBrush.GDI32(?), ref: 004D744B
GetSysColor.USER32(00000011), ref: 004D7463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 004D7471
SelectObject.GDI32(?,00000000), ref: 004D7482
SetBkColor.GDI32(?,00000000), ref: 004D748B
SelectObject.GDI32(?,?), ref: 004D7498
InflateRect.USER32(?,000000FF,000000FF), ref: 004D74B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 004D74CE
GetWindowLongW.USER32(00000000,000000F0), ref: 004D74DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 004D752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 004D7554
InflateRect.USER32(?,000000FD,000000FD), ref: 004D7572
DrawFocusRect.USER32(?,?), ref: 004D757D
GetSysColor.USER32(00000011), ref: 004D758E
SetTextColor.GDI32(?,00000000), ref: 004D7596
DrawTextW.USER32(?,004D70F5,000000FF,?,00000000), ref: 004D75A8
SelectObject.GDI32(?,?), ref: 004D75BF
DeleteObject.GDI32(?), ref: 004D75CA
SelectObject.GDI32(?,?), ref: 004D75D0
DeleteObject.GDI32(?), ref: 004D75D5
SetTextColor.GDI32(?,?), ref: 004D75DB
SetBkColor.GDI32(?,?), ref: 004D75E5

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: ab92b09e6efc7d47a730329437b64b08052a41195f778b0a4461268fa766ae69
Instruction ID: dacbb7c5bf845b16eafbb12b5df97f7bd8f2982f2583530a527fa50dd12e6602
Opcode Fuzzy Hash: ab92b09e6efc7d47a730329437b64b08052a41195f778b0a4461268fa766ae69
Instruction Fuzzy Hash: B1616F72901219BFDF019FA4DC99EEEBFB9EB08320F114126F915AB2A1D7749940CF94

Function 004D0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004D1128
GetDesktopWindow.USER32 ref: 004D113D
GetWindowRect.USER32(00000000), ref: 004D1144
GetWindowLongW.USER32(?,000000F0), ref: 004D1199
DestroyWindow.USER32(?), ref: 004D11B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 004D11ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004D121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 004D1232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 004D1245
IsWindowVisible.USER32(00000000), ref: 004D12A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 004D12BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 004D12D0
GetWindowRect.USER32(00000000,?), ref: 004D12E8
MonitorFromPoint.USER32(?,?,00000002), ref: 004D130E
GetMonitorInfoW.USER32(00000000,?), ref: 004D1328
CopyRect.USER32(?,?), ref: 004D133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 004D13AA

Strings

(, xrefs: 004D131B
tooltips_class32, xrefs: 004D11E6
0, xrefs: 004D10D3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a9edb41c2462ea658ddfca60e94f65d1b6b29dad5bb5a9788305c7c4c7bd5fed
Instruction ID: 2b911623660c9ddfee3a924f2aa64887f479ab1a51c19e5966284ee3d1b22407
Opcode Fuzzy Hash: a9edb41c2462ea658ddfca60e94f65d1b6b29dad5bb5a9788305c7c4c7bd5fed
Instruction Fuzzy Hash: 48B18C71604341AFE700DF65C885B6BBBE4FF88354F00891EF9999B2A1C735E845CB9A

Function 004D0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004D02E5
_wcslen.LIBCMT ref: 004D031F
_wcslen.LIBCMT ref: 004D0389
_wcslen.LIBCMT ref: 004D03F1
_wcslen.LIBCMT ref: 004D0475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 004D04C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004D0504

Part of subcall function 0045F9F2: _wcslen.LIBCMT ref: 0045F9FD

Part of subcall function 004A223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004A2258
Part of subcall function 004A223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 004A228A

Strings

GETTEXT, xrefs: 004D03EC, 004D0407
SELECT, xrefs: 004D0548
GETITEMCOUNT, xrefs: 004D0316, 004D0337
VIEWCHANGE, xrefs: 004D0675
GETSELECTED, xrefs: 004D05E1
FINDITEM, xrefs: 004D0627
ISSELECTED, xrefs: 004D04DD
SELECTALL, xrefs: 004D0515
SELECTINVERT, xrefs: 004D057E
GETSELECTEDCOUNT, xrefs: 004D0470, 004D048B
GETSUBITEMCOUNT, xrefs: 004D0384, 004D039F
DESELECT, xrefs: 004D059C
SELECTCLEAR, xrefs: 004D052D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 78999eae74419f55d85e842ab1bb10ba5ba3dea9048d02f7ca3ce009b277b9ef
Instruction ID: d9e978e7c8fbc020724c47a68ae4223f0ba829fa1700940f76be8ccd99a42f38
Opcode Fuzzy Hash: 78999eae74419f55d85e842ab1bb10ba5ba3dea9048d02f7ca3ce009b277b9ef
Instruction Fuzzy Hash: FBE1AE312082019BC714DF25C560A2FB7E5BF98318F14495FF8969B3A1DB38ED46CB9A

Function 00458891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00458968
GetSystemMetrics.USER32(00000007), ref: 00458970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0045899B
GetSystemMetrics.USER32(00000008), ref: 004589A3
GetSystemMetrics.USER32(00000004), ref: 004589C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 004589E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 004589F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00458A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00458A3C
GetClientRect.USER32(00000000,000000FF), ref: 00458A5A
GetStockObject.GDI32(00000011), ref: 00458A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00458A81

Part of subcall function 0045912D: GetCursorPos.USER32(?), ref: 00459141
Part of subcall function 0045912D: ScreenToClient.USER32(00000000,?), ref: 0045915E
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000001), ref: 00459183
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000002), ref: 0045919D

SetTimer.USER32(00000000,00000000,00000028,004590FC), ref: 00458AA8

Strings

AutoIt v3 GUI, xrefs: 00458A20

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c4bf074d2f09ba9d82cbeda1e1283f6e3c257f422aef2fd0a7060d40495d87cf
Instruction ID: f4c780a6d50e5c692f42af5c7bd3db35a16bc03e5d882472c14e0e4a60cba9e0
Opcode Fuzzy Hash: c4bf074d2f09ba9d82cbeda1e1283f6e3c257f422aef2fd0a7060d40495d87cf
Instruction Fuzzy Hash: 1AB19E7160020AAFDF04DFA8DC85BAE3BB4FB48315F11416AFA15A7290DB38E845CB59

Function 004A0D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1114
Part of subcall function 004A10F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1120
Part of subcall function 004A10F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A112F
Part of subcall function 004A10F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1136
Part of subcall function 004A10F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004A0DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 004A0E29
GetLengthSid.ADVAPI32(?), ref: 004A0E40
GetAce.ADVAPI32(?,00000000,?), ref: 004A0E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 004A0E96
GetLengthSid.ADVAPI32(?), ref: 004A0EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 004A0EB5
HeapAlloc.KERNEL32(00000000), ref: 004A0EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 004A0EDD
CopySid.ADVAPI32(00000000), ref: 004A0EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 004A0F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 004A0F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 004A0F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0F6E
HeapFree.KERNEL32(00000000), ref: 004A0F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0F7E
HeapFree.KERNEL32(00000000), ref: 004A0F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A0F8E
HeapFree.KERNEL32(00000000), ref: 004A0F95
GetProcessHeap.KERNEL32(00000000,?), ref: 004A0FA1
HeapFree.KERNEL32(00000000), ref: 004A0FA8

Part of subcall function 004A1193: GetProcessHeap.KERNEL32(00000008,004A0BB1,?,00000000,?,004A0BB1,?), ref: 004A11A1
Part of subcall function 004A1193: HeapAlloc.KERNEL32(00000000,?,00000000,?,004A0BB1,?), ref: 004A11A8
Part of subcall function 004A1193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,004A0BB1,?), ref: 004A11B7

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1d41564a20210025e70ec91b017aed7caadca1e24377628fd8fe91faf292f1d0
Instruction ID: 74a062688efe43c25306db39c933e223afc6a4dba787d852820be6e4701bb3b3
Opcode Fuzzy Hash: 1d41564a20210025e70ec91b017aed7caadca1e24377628fd8fe91faf292f1d0
Instruction Fuzzy Hash: F0716D7190121AEFDF209FA4DC84BAFBBB8BF1A301F044126F919B6291D775D905CB68

Function 004CC3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CC4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,004DCC08,00000000,?,00000000,?,?), ref: 004CC544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 004CC5A4
_wcslen.LIBCMT ref: 004CC5F4
_wcslen.LIBCMT ref: 004CC66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 004CC6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 004CC7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 004CC84D
RegCloseKey.ADVAPI32(?), ref: 004CC881
RegCloseKey.ADVAPI32(00000000), ref: 004CC88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 004CC960

Strings

REG_MULTI_SZ, xrefs: 004CC6F5
REG_DWORD, xrefs: 004CC804
REG_SZ, xrefs: 004CC644
REG_BINARY, xrefs: 004CC913
REG_EXPAND_SZ, xrefs: 004CC5CD
REG_QWORD, xrefs: 004CC8C3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: a7278bf36bfea9bf80cc250b564b5b18d314c584f74561dfc17722231a00f87f
Instruction ID: 47c3bcd7b1295367621c62b4be0f2a43f1b597097f1946c23e88bb1145838f63
Opcode Fuzzy Hash: a7278bf36bfea9bf80cc250b564b5b18d314c584f74561dfc17722231a00f87f
Instruction Fuzzy Hash: 51127C35604211AFDB14DF15C481F2AB7E5EF88758F04885EF84A9B3A2DB39EC41CB99

Function 004D091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004D09C6
_wcslen.LIBCMT ref: 004D0A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D0A54
_wcslen.LIBCMT ref: 004D0A8A
_wcslen.LIBCMT ref: 004D0B06
_wcslen.LIBCMT ref: 004D0B81

Part of subcall function 0045F9F2: _wcslen.LIBCMT ref: 0045F9FD

Part of subcall function 004A2BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004A2BFA

Strings

GETTEXT, xrefs: 004D0C97
SELECT, xrefs: 004D0D11
CHECK, xrefs: 004D0A85, 004D0AA0
GETTOTALCOUNT, xrefs: 004D09F2, 004D0A17
GETITEMCOUNT, xrefs: 004D0C1E
GETSELECTED, xrefs: 004D0C4E
UNCHECK, xrefs: 004D0D3E
EXPAND, xrefs: 004D0BF8
COLLAPSE, xrefs: 004D0B01, 004D0B1C
EXISTS, xrefs: 004D0B7C, 004D0B97
ISCHECKED, xrefs: 004D0CE1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9cbce4118ddbecbb2492ef258fe206cbd69778df5518d2241bac77eff38db762
Instruction ID: d8d6a5fd7b41486e3cc6cd57e964e7b1eeac48dfdee597c5830f92ba6392fa2b
Opcode Fuzzy Hash: 9cbce4118ddbecbb2492ef258fe206cbd69778df5518d2241bac77eff38db762
Instruction Fuzzy Hash: 04E17C316087019FC714DF25C460A2AB7E1BF98318F14495FF8965B3A2D739ED4ACB8A

Function 004CC998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
_wcslen.LIBCMT ref: 004CC9F1
_wcslen.LIBCMT ref: 004CCA68
_wcslen.LIBCMT ref: 004CCA9E
_wcslen.LIBCMT ref: 004CCAF9
_wcslen.LIBCMT ref: 004CCB2F
_wcslen.LIBCMT ref: 004CCB7F

Strings

HKEY_CURRENT_CONFIG, xrefs: 004CCB79, 004CCB7E
HKEY_CLASSES_ROOT, xrefs: 004CCAF3, 004CCAF8
HKCR, xrefs: 004CCB29, 004CCB2E
HKCU, xrefs: 004CCBCE
HKLM, xrefs: 004CCA98, 004CCA9D
HKEY_USERS, xrefs: 004CCBDF
HKU, xrefs: 004CCBF0
HKEY_LOCAL_MACHINE, xrefs: 004CCA62, 004CCA67
HKCC, xrefs: 004CCBAC
HKEY_CURRENT_USER, xrefs: 004CCBBD

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 978e368687f166b8eb26426a429886eec5b74cb70635607f846c8584e021b9b7
Instruction ID: e0d0e9f7f9e9d9e2d5ca14b48231ab727a9f62f603bac46fa804e75069288831
Opcode Fuzzy Hash: 978e368687f166b8eb26426a429886eec5b74cb70635607f846c8584e021b9b7
Instruction Fuzzy Hash: 5871073AA0052A8BCB50DE799881FBF3391AB64754B10012EF85A97384F639DD45C359

Function 004D833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004D835A
_wcslen.LIBCMT ref: 004D836E
_wcslen.LIBCMT ref: 004D8391
_wcslen.LIBCMT ref: 004D83B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 004D83F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004D5BF2), ref: 004D844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004D8487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 004D84CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 004D8501
FreeLibrary.KERNEL32(?), ref: 004D850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 004D851D
DestroyIcon.USER32(?,?,?,?,?,004D5BF2), ref: 004D852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 004D8549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 004D8555

Strings

.icl, xrefs: 004D8368
.dll, xrefs: 004D83AB
.exe, xrefs: 004D8388

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 739a6bcffcfe10ec01f9c4c178212ab3bc48bd0b8b4bffdd62d2852785b8ee23
Instruction ID: 59b780dae6f6179a7f88121e31e1c5ba122b7f3154a9001b7b207d5aae5a4591
Opcode Fuzzy Hash: 739a6bcffcfe10ec01f9c4c178212ab3bc48bd0b8b4bffdd62d2852785b8ee23
Instruction Fuzzy Hash: 1C611371A00215BAEB14CF64DC91BBF77A8FB04711F10460FF815D62D1EB78A940C7A8

Function 00447778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#notrayicon, xrefs: 004477E7
", xrefs: 00485153
#OnAutoItStartRegister, xrefs: 00447817
#requireadmin, xrefs: 004477FF
#include, xrefs: 00447847
', xrefs: 00485169
Cannot parse #include, xrefs: 00485279
#pragma compile, xrefs: 004477D3
#include-once, xrefs: 0044782F
#ce, xrefs: 004478ED
#comments-start, xrefs: 0044785F, 004478B1
#comments-end, xrefs: 004478D9
#cs, xrefs: 00447873, 004478C5
Unterminated group of comments, xrefs: 0048528C
Bad directive syntax error, xrefs: 0048519A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 3a025233f912596144ee84ac7958c82b7d8681775837c6f6db1e957e634623de
Instruction ID: 4281426903323de7a0a1442354c89715cd5a66f6238ab3ba75e102bdac81254b
Opcode Fuzzy Hash: 3a025233f912596144ee84ac7958c82b7d8681775837c6f6db1e957e634623de
Instruction Fuzzy Hash: 88811871A00605BBEB21BF61DC42FAF3764AF15304F04442BF905AA292EB7DD916C79E

Function 004B3E79 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 004B3EF8
_wcslen.LIBCMT ref: 004B3F03
_wcslen.LIBCMT ref: 004B3F5A
_wcslen.LIBCMT ref: 004B3F98
GetDriveTypeW.KERNEL32(?), ref: 004B3FD6
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B401E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B4059
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004B4087

Strings

close, xrefs: 004B3EFE, 004B3F18
wait, xrefs: 004B4044
closed, xrefs: 004B3F08, 004B3F2D, 004B3F46, 004B3F7E, 004B3F97
open, xrefs: 004B3F54, 004B3F59
close cd wait, xrefs: 004B4072
open , xrefs: 004B3FE5
set cd door , xrefs: 004B4028
type cdaudio alias cd wait, xrefs: 004B4001

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 6debee4f223e03b4b8e66e87cc24bf1cab1041a313128be00df258e744c44dbc
Instruction ID: 1ce07d22fa5b8af40b0a5523f7563b236c5d83b20cfdb3214e198a8f53734751
Opcode Fuzzy Hash: 6debee4f223e03b4b8e66e87cc24bf1cab1041a313128be00df258e744c44dbc
Instruction Fuzzy Hash: DD71DF326042129FD310EF25C8818ABB7F4FF94758F00492EF89597291EB38ED49CB66

Function 004A5A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 004A5A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004A5A40
SetWindowTextW.USER32(?,?), ref: 004A5A57
GetDlgItem.USER32(?,000003EA), ref: 004A5A6C
SetWindowTextW.USER32(00000000,?), ref: 004A5A72
GetDlgItem.USER32(?,000003E9), ref: 004A5A82
SetWindowTextW.USER32(00000000,?), ref: 004A5A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 004A5AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 004A5AC3
GetWindowRect.USER32(?,?), ref: 004A5ACC
_wcslen.LIBCMT ref: 004A5B33
SetWindowTextW.USER32(?,?), ref: 004A5B6F
GetDesktopWindow.USER32 ref: 004A5B75
GetWindowRect.USER32(00000000), ref: 004A5B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 004A5BD3
GetClientRect.USER32(?,?), ref: 004A5BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 004A5C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 004A5C2F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 8827e5c40be29343979ee832e74576b43d5f0ba24c3524c40d74d96de9a47105
Instruction ID: 772117a802ce897a0c165fbbbe222417f8abbcdc8da9b174d58084b0a8bb672f
Opcode Fuzzy Hash: 8827e5c40be29343979ee832e74576b43d5f0ba24c3524c40d74d96de9a47105
Instruction Fuzzy Hash: 14719271A00B059FDB20DFA8CE85A6FBBF5FF58705F10452AE142A26A0D778F904CB18

Function 004BFE0E Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 004BFE27
LoadCursorW.USER32(00000000,00007F8A), ref: 004BFE32
LoadCursorW.USER32(00000000,00007F00), ref: 004BFE3D
LoadCursorW.USER32(00000000,00007F03), ref: 004BFE48
LoadCursorW.USER32(00000000,00007F8B), ref: 004BFE53
LoadCursorW.USER32(00000000,00007F01), ref: 004BFE5E
LoadCursorW.USER32(00000000,00007F81), ref: 004BFE69
LoadCursorW.USER32(00000000,00007F88), ref: 004BFE74
LoadCursorW.USER32(00000000,00007F80), ref: 004BFE7F
LoadCursorW.USER32(00000000,00007F86), ref: 004BFE8A
LoadCursorW.USER32(00000000,00007F83), ref: 004BFE95
LoadCursorW.USER32(00000000,00007F85), ref: 004BFEA0
LoadCursorW.USER32(00000000,00007F82), ref: 004BFEAB
LoadCursorW.USER32(00000000,00007F84), ref: 004BFEB6
LoadCursorW.USER32(00000000,00007F04), ref: 004BFEC1
LoadCursorW.USER32(00000000,00007F02), ref: 004BFECC
GetCursorInfo.USER32(?), ref: 004BFEDC
GetLastError.KERNEL32 ref: 004BFF1E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d9c03ab3ebaf14a2e977f94620d176fa017aaca6a7df5cdc247cd6af124b87db
Instruction ID: 9060a4fffcfc5d26cdec9ba8a755cf2864339faa3ff17f561eb5e660a3edcd0c
Opcode Fuzzy Hash: d9c03ab3ebaf14a2e977f94620d176fa017aaca6a7df5cdc247cd6af124b87db
Instruction Fuzzy Hash: 034161B0D053196ADB10DFBA8C8986EBFE8FF04754B50452BE11DE7281DB78A901CEA5

Function 004A30F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A318D
_wcslen.LIBCMT ref: 004A31F8

Strings

[P, xrefs: 004A339A
NAME, xrefs: 004A3335, 004A3346
REGEXPCLASS, xrefs: 004A3255, 004A3266
INSTANCE, xrefs: 004A3453
CLASS, xrefs: 004A3188, 004A31A5
TEXT, xrefs: 004A347C
CLASSNN, xrefs: 004A31F3, 004A3204

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[P
API String ID: 176396367-2337605258
Opcode ID: e15e1f239f9caeb71d35492d96d3578b4b4b424917d33e0974703c78c1bdebea
Instruction ID: 4202695980e25f4050cf88744d508a44e7a3126b48cae055a743837596620743
Opcode Fuzzy Hash: e15e1f239f9caeb71d35492d96d3578b4b4b424917d33e0974703c78c1bdebea
Instruction Fuzzy Hash: 48E1E532A00516ABCB14DF78C4517EFFBA0BF66715F14811BF456A7280FB38AE858B94

Function 004600C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 004600C6

Part of subcall function 004600ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0051070C,00000FA0,82AD5A5E,?,?,?,?,004823B3,000000FF), ref: 0046011C
Part of subcall function 004600ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,004823B3,000000FF), ref: 00460127
Part of subcall function 004600ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,004823B3,000000FF), ref: 00460138
Part of subcall function 004600ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0046014E
Part of subcall function 004600ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0046015C
Part of subcall function 004600ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0046016A
Part of subcall function 004600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00460195
Part of subcall function 004600ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 004601A0

___scrt_fastfail.LIBCMT ref: 004600E7

Part of subcall function 004600A3: __onexit.LIBCMT ref: 004600A9

Strings

WakeAllConditionVariable, xrefs: 00460162
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00460122
SleepConditionVariableCS, xrefs: 00460154
kernel32.dll, xrefs: 00460133
InitializeConditionVariable, xrefs: 00460148

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: b4d6da1cc7fb0b7603400242dfd4480df2b898b6227e5797e54bb940ef144ae5
Instruction ID: 0cb4fae7b5c52e93b0157d1dac7299b2a4f4ca9feb39c943511fc883ab3646b3
Opcode Fuzzy Hash: b4d6da1cc7fb0b7603400242dfd4480df2b898b6227e5797e54bb940ef144ae5
Instruction Fuzzy Hash: 33212C326417116BE7205B64AC46B9F3794DB06B51F10023BFC02D23D1EBAC5804CA9E

Function 004B44C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,004DCC08), ref: 004B4527
_wcslen.LIBCMT ref: 004B453B
_wcslen.LIBCMT ref: 004B4599
_wcslen.LIBCMT ref: 004B45F4
_wcslen.LIBCMT ref: 004B463F
_wcslen.LIBCMT ref: 004B46A7

Part of subcall function 0045F9F2: _wcslen.LIBCMT ref: 0045F9FD

GetDriveTypeW.KERNEL32(?,00506BF0,00000061), ref: 004B4743

Strings

unknown, xrefs: 004B4708
ramdisk, xrefs: 004B46F1
all, xrefs: 004B4531, 004B4536
removable, xrefs: 004B45EA, 004B45EF
cdrom, xrefs: 004B458F, 004B4594
network, xrefs: 004B469D, 004B46A2
fixed, xrefs: 004B4635, 004B463A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 183c4efda26571965d748204d2719285dd46cbdb63939346c2cdf65716c3452d
Instruction ID: 9e63dadc3888284e2c75a1c04aa69ff4858260facebb9894a86cfaf445a65aae
Opcode Fuzzy Hash: 183c4efda26571965d748204d2719285dd46cbdb63939346c2cdf65716c3452d
Instruction Fuzzy Hash: 61B102716083029BC710DF29C890AABB7E5AFE5724F10491EF496C7392EB38D845CA66

Function 004D911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

DragQueryPoint.SHELL32(?,?), ref: 004D9147

Part of subcall function 004D7674: ClientToScreen.USER32(?,?), ref: 004D769A
Part of subcall function 004D7674: GetWindowRect.USER32(?,?), ref: 004D7710
Part of subcall function 004D7674: PtInRect.USER32(?,?,004D8B89), ref: 004D7720

SendMessageW.USER32(?,000000B0,?,?), ref: 004D91B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 004D91BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 004D91DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 004D9225
SendMessageW.USER32(?,000000B0,?,?), ref: 004D923E
SendMessageW.USER32(?,000000B1,?,?), ref: 004D9255
SendMessageW.USER32(?,000000B1,?,?), ref: 004D9277
DragFinish.SHELL32(?), ref: 004D927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 004D9371

Strings

p#Q, xrefs: 004D92BB
@GUI_DROPID, xrefs: 004D929E
@GUI_DRAGID, xrefs: 004D92E9
@GUI_DRAGFILE, xrefs: 004D9320

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#Q
API String ID: 221274066-1814383935
Opcode ID: fb1e94609065481e173d4aaef74c4a3f719e40abc3b7d1a0b13ed747ba35f4f8
Instruction ID: 6d3425b93d7e6b11737a42ab6cd0816991145cc34951e4b4185837d3ad10f331
Opcode Fuzzy Hash: fb1e94609065481e173d4aaef74c4a3f719e40abc3b7d1a0b13ed747ba35f4f8
Instruction Fuzzy Hash: 82617971108301AFD701EF65DC85DAFBBE8EF89354F00092FF595922A1DB349A49CB5A

Function 0044326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00511990), ref: 00482F8D
GetMenuItemCount.USER32(00511990), ref: 0048303D
GetCursorPos.USER32(?), ref: 00483081
SetForegroundWindow.USER32(00000000), ref: 0048308A
TrackPopupMenuEx.USER32(00511990,00000000,?,00000000,00000000,00000000), ref: 0048309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004830A9

Strings

0, xrefs: 0044327D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 2c04e84bce4b41f03e3466344f75e9745e9226c9bc2cf37a50700351e9c0cb27
Instruction ID: 40eb11ddb95f34d65565841547660b33d72519578a65b558450ec61545f3adea
Opcode Fuzzy Hash: 2c04e84bce4b41f03e3466344f75e9745e9226c9bc2cf37a50700351e9c0cb27
Instruction Fuzzy Hash: 64711630640216BAFB219F25CD89FAEBF64FF05724F204257F614662E0C7F9A910DB99

Function 004D6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 004D6DEB

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 004D6E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 004D6E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D6E94
DestroyWindow.USER32(?), ref: 004D6EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00440000,00000000), ref: 004D6EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 004D6EFD
GetDesktopWindow.USER32 ref: 004D6F16
GetWindowRect.USER32(00000000), ref: 004D6F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 004D6F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 004D6F4D

Part of subcall function 00459944: GetWindowLongW.USER32(?,000000EB), ref: 00459952

Strings

0, xrefs: 004D6D98
tooltips_class32, xrefs: 004D6E58, 004D6EDD

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 03687c9bb53a2adfdcd7bca4e564fd03f774026d884ad1db69932916e2dae32d
Instruction ID: ab110c9c65ac116654aaf94f118da227ad4eb751781689f20c36eb2d8d67042a
Opcode Fuzzy Hash: 03687c9bb53a2adfdcd7bca4e564fd03f774026d884ad1db69932916e2dae32d
Instruction Fuzzy Hash: CB717970104645AFDB21CF18D898AABBBFAFB89304F05441FF99987361C774E909DB1A

Function 004BC476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004BC4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004BC4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004BC4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004BC4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 004BC533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 004BC549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004BC554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004BC584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 004BC5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 004BC5F0
InternetCloseHandle.WININET(00000000), ref: 004BC5FB

Strings

, xrefs: 004BC575

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: d44767b5704b07270319c0a7d3dc21a39540a95b7fd43b416a00924c953c8daf
Instruction ID: 8b5ee0e386a7dee170b546b570e7c1aeec5ee908da8c5b19d2f3fd95f559766d
Opcode Fuzzy Hash: d44767b5704b07270319c0a7d3dc21a39540a95b7fd43b416a00924c953c8daf
Instruction Fuzzy Hash: B1513BB1501209BFDB219F65C9C8AAB7BBCEF08754F00442BF945D6250DB38EA44DBB9

Function 004D856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 004D8592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85BA
GlobalLock.KERNEL32(00000000), ref: 004D85C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85D7
GlobalUnlock.KERNEL32(00000000), ref: 004D85E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 004D85F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,004DFC38,?), ref: 004D8611
GlobalFree.KERNEL32(00000000), ref: 004D8621
GetObjectW.GDI32(?,00000018,?), ref: 004D8641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 004D8671
DeleteObject.GDI32(?), ref: 004D8699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 004D86AF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 631c4d19d378fa699d54cb8ac3c6ba5e572a9809071cc1e4afdfc7f12063c690
Instruction ID: 34e5e88000cd8989c920addd1f1e9efa5710274dde80d5013b5116a9112b4fe0
Opcode Fuzzy Hash: 631c4d19d378fa699d54cb8ac3c6ba5e572a9809071cc1e4afdfc7f12063c690
Instruction Fuzzy Hash: E6411875601209AFDB119FA5DC98EAF7BBCEF89B11F10416AF905E7260DB349901CB28

Function 004B14BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 004B1502
VariantCopy.OLEAUT32(?,?), ref: 004B150B
VariantClear.OLEAUT32(?), ref: 004B1517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 004B15FB
VarR8FromDec.OLEAUT32(?,?), ref: 004B1657
VariantInit.OLEAUT32(?), ref: 004B1708
SysFreeString.OLEAUT32(?), ref: 004B178C
VariantClear.OLEAUT32(?), ref: 004B17D8
VariantClear.OLEAUT32(?), ref: 004B17E7
VariantInit.OLEAUT32(00000000), ref: 004B1823

Strings

Default, xrefs: 004B16AF
%4d%02d%02d%02d%02d%02d, xrefs: 004B1625

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 05403c8f7bb71885b58b21ad3fec28b24767c4fc4c20f63f53ac93c43ee44a90
Instruction ID: fa72a18a57bf4829436b30c01ea69df76f23a9b0913c8c471c9adaddefe3561e
Opcode Fuzzy Hash: 05403c8f7bb71885b58b21ad3fec28b24767c4fc4c20f63f53ac93c43ee44a90
Instruction Fuzzy Hash: E9D12571600105EBDB209F65E894BBEB7B5BF44700F94405BF8079B2A1DB38DC49DB6A

Function 004CB60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CB6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CB772
RegDeleteValueW.ADVAPI32(?,?), ref: 004CB80A
RegCloseKey.ADVAPI32(?), ref: 004CB87E
RegCloseKey.ADVAPI32(?), ref: 004CB89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 004CB8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004CB904
RegDeleteKeyW.ADVAPI32(?,?), ref: 004CB922
FreeLibrary.KERNEL32(00000000), ref: 004CB983
RegCloseKey.ADVAPI32(00000000), ref: 004CB994

Strings

RegDeleteKeyExW, xrefs: 004CB8FE
advapi32.dll, xrefs: 004CB8ED

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 0a5e25966153a36ffed49910cbb8d83cbd049bd4879ee0e4cd3e5dec755772d7
Instruction ID: 347e06d35d53e4381452192e9f0146ddbdc994d2d4b015ed39e777a79e9d7f5f
Opcode Fuzzy Hash: 0a5e25966153a36ffed49910cbb8d83cbd049bd4879ee0e4cd3e5dec755772d7
Instruction Fuzzy Hash: A5C17D74205201AFD750DF15C495F2ABBE5FF84308F14855EE49A8B3A2CB39EC45CB96

Function 004C255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004C25D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004C25E8
CreateCompatibleDC.GDI32(?), ref: 004C25F4
SelectObject.GDI32(00000000,?), ref: 004C2601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 004C266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 004C26AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 004C26D0
SelectObject.GDI32(?,?), ref: 004C26D8
DeleteObject.GDI32(?), ref: 004C26E1
DeleteDC.GDI32(?), ref: 004C26E8
ReleaseDC.USER32(00000000,?), ref: 004C26F3

Strings

(, xrefs: 004C268D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: a770a37c83f07413f0c0130b371ad8eef7a7fb97725c80daa2f0c8df857bc9f9
Instruction ID: e6b935ce2dee1fbee1f7bcf5ef5f191660b016e06d10394a9b79d406cb03973e
Opcode Fuzzy Hash: a770a37c83f07413f0c0130b371ad8eef7a7fb97725c80daa2f0c8df857bc9f9
Instruction Fuzzy Hash: E261E275D01219EFCF04CFA4D984EAEBBB5FF48310F20852AE955A7250D774A941CF64

Function 0047DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0047DAA1

Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D659
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D66B
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D67D
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D68F
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6A1
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6B3
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6C5
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6D7
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6E9
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D6FB
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D70D
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D71F
Part of subcall function 0047D63C: _free.LIBCMT ref: 0047D731

_free.LIBCMT ref: 0047DA96

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047DAB8
_free.LIBCMT ref: 0047DACD
_free.LIBCMT ref: 0047DAD8
_free.LIBCMT ref: 0047DAFA
_free.LIBCMT ref: 0047DB0D
_free.LIBCMT ref: 0047DB1B
_free.LIBCMT ref: 0047DB26
_free.LIBCMT ref: 0047DB5E
_free.LIBCMT ref: 0047DB65
_free.LIBCMT ref: 0047DB82
_free.LIBCMT ref: 0047DB9A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9193a334a387b1161d04325ab83c226262d7405d35c72517ddfa759dc7c7393f
Instruction ID: 4c41409aafb36992286527732a4f043fb73985f6c2a3f42bcf1f351109b273ff
Opcode Fuzzy Hash: 9193a334a387b1161d04325ab83c226262d7405d35c72517ddfa759dc7c7393f
Instruction Fuzzy Hash: D5316CB1A042059FDB21AA3AD941B9BB7E8FF00314F14842BE14DD7291DA78BC848728

Function 004A365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 004A369C
_wcslen.LIBCMT ref: 004A36A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 004A3797
GetClassNameW.USER32(?,?,00000400), ref: 004A380C
GetDlgCtrlID.USER32(?), ref: 004A385D
GetWindowRect.USER32(?,?), ref: 004A3882
GetParent.USER32(?), ref: 004A38A0
ScreenToClient.USER32(00000000), ref: 004A38A7
GetClassNameW.USER32(?,?,00000100), ref: 004A3921
GetWindowTextW.USER32(?,?,00000400), ref: 004A395D

Strings

%s%u, xrefs: 004A3734

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 3bd87daaaf7d3257d69a4e0b575527f7456787709e392c0f64a1e62e2f5f8ba4
Instruction ID: 6ae17f8b9273ea31abe864e4f8453969fec46dcd7010c81b482319f29a0e3132
Opcode Fuzzy Hash: 3bd87daaaf7d3257d69a4e0b575527f7456787709e392c0f64a1e62e2f5f8ba4
Instruction Fuzzy Hash: E891D5B1204606AFD714DF24C885BABF7E8FF55345F00852EF999C2290EB38EA45CB95

Function 004A4954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 004A4994
GetWindowTextW.USER32(?,?,00000400), ref: 004A49DA
_wcslen.LIBCMT ref: 004A49EB
CharUpperBuffW.USER32(?,00000000), ref: 004A49F7
_wcsstr.LIBVCRUNTIME ref: 004A4A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 004A4A64
GetWindowTextW.USER32(?,?,00000400), ref: 004A4A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 004A4AE6
GetClassNameW.USER32(?,?,00000400), ref: 004A4B20
GetWindowRect.USER32(?,?), ref: 004A4B8B

Strings

ThumbnailClass, xrefs: 004A4A6F, 004A4AF1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 8571b750164d61a668c6133b6d7b2a0490af9e18972d0e81458c7f42958dd753
Instruction ID: e405c71147f15f57a50106348d82258b32d6fc5d6d600da3ebef284a3c4d3ffd
Opcode Fuzzy Hash: 8571b750164d61a668c6133b6d7b2a0490af9e18972d0e81458c7f42958dd753
Instruction Fuzzy Hash: C391BE710042059FDB04CF14C981BAB77A8FFE5314F04846BFD859A296EB78ED45CBAA

Function 004D8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004D8D5A
GetFocus.USER32 ref: 004D8D6A
GetDlgCtrlID.USER32(00000000), ref: 004D8D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 004D8E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 004D8ECF
GetMenuItemCount.USER32(?), ref: 004D8EEC
GetMenuItemID.USER32(?,00000000), ref: 004D8EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 004D8F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 004D8F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 004D8FA1

Strings

0, xrefs: 004D8E9F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 80102838858602f5e3202c009d472ca4a230fb951befa155bb829bc2aaf17fba
Instruction ID: 7148e5e39af316cdacef0adb8b3e8721fd15933655fd0e65d8be876b11bd1df3
Opcode Fuzzy Hash: 80102838858602f5e3202c009d472ca4a230fb951befa155bb829bc2aaf17fba
Instruction Fuzzy Hash: 2E816A71504311ABD710CF24D894ABB7BEAAB88714F040A6FF994D7392DB38D905CB6A

Function 004ADC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004ADC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004ADC46
_wcslen.LIBCMT ref: 004ADC50
_wcsstr.LIBVCRUNTIME ref: 004ADCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 004ADCBC

Strings

\VarFileInfo\Translation, xrefs: 004ADCB4
04090000, xrefs: 004ADCF2
%u.%u.%u.%u, xrefs: 004ADD9A
StringFileInfo\, xrefs: 004ADC8F
DefaultLangCodepage, xrefs: 004ADD1F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 815a623c78b89bfdd9a8eeaaa24b21afddc282051093572c5ab0206823205aca
Instruction ID: c4b1c1161ba51b9fe528f5ec1c370e2c09bdd5a067ea77adb11911d7052ec06b
Opcode Fuzzy Hash: 815a623c78b89bfdd9a8eeaaa24b21afddc282051093572c5ab0206823205aca
Instruction Fuzzy Hash: 3F410572E402027ADB10A7759C47EBF77ACEF56714F10006FF901A6182FA7C990586AE

Function 004CCC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004CCC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 004CCC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004CCD48

Part of subcall function 004CCC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 004CCCAA
Part of subcall function 004CCC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 004CCCBD
Part of subcall function 004CCC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 004CCCCF
Part of subcall function 004CCC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 004CCD05
Part of subcall function 004CCC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 004CCD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 004CCCF3

Strings

RegDeleteKeyExW, xrefs: 004CCCC9
advapi32.dll, xrefs: 004CCCB8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: b27e478580137acf602751f1b19ac36a39dd7c2248366946845c235c75f1664e
Instruction ID: ffb223e39b25785f03960c2c364a4313e60c98bedd8421c9e1cf57b3ed978cf4
Opcode Fuzzy Hash: b27e478580137acf602751f1b19ac36a39dd7c2248366946845c235c75f1664e
Instruction Fuzzy Hash: 4A318575901129BBDB218B90DCC8EFFBB7CEF15740F00417AF90AE2240DB385A45DAA4

Function 004B3D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 004B3D40
_wcslen.LIBCMT ref: 004B3D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 004B3D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 004B3DBE
RemoveDirectoryW.KERNEL32(?), ref: 004B3DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 004B3E55
CloseHandle.KERNEL32(00000000), ref: 004B3E60
CloseHandle.KERNEL32(00000000), ref: 004B3E6B

Strings

\??\%s, xrefs: 004B3D5B
:, xrefs: 004B3D82
\, xrefs: 004B3D77

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 4eb4424bfdec42798a934fc026f8639219b02c3bd99be1c65370c3f6d9b6cfef
Instruction ID: 08754eaa7001a7b4817f019c95b6c6d061dab0965e505b8c5f3f2c677e07ed88
Opcode Fuzzy Hash: 4eb4424bfdec42798a934fc026f8639219b02c3bd99be1c65370c3f6d9b6cfef
Instruction Fuzzy Hash: C231817194021AAADB209FA1DC89FEF37BCAF88705F5041B6F50596160E7749744CB28

Function 004AE6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 004AE6B4

Part of subcall function 0045E551: timeGetTime.WINMM(?,?,004AE6D4), ref: 0045E555

Sleep.KERNEL32(0000000A), ref: 004AE6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 004AE705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 004AE727
SetActiveWindow.USER32 ref: 004AE746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 004AE754
SendMessageW.USER32(00000010,00000000,00000000), ref: 004AE773
Sleep.KERNEL32(000000FA), ref: 004AE77E
IsWindow.USER32 ref: 004AE78A
EndDialog.USER32(00000000), ref: 004AE79B

Strings

BUTTON, xrefs: 004AE719

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 766bc5d19e7fb57c2676f35befec53a9a354c04decee0c4a21eb0906a10e5a8e
Instruction ID: f6da4834670e6d2ea9f03893ad32c68fc7e4e825dbcac4906026d6d3edbb2c7a
Opcode Fuzzy Hash: 766bc5d19e7fb57c2676f35befec53a9a354c04decee0c4a21eb0906a10e5a8e
Instruction Fuzzy Hash: A8215074201206AFEF005F62ECC9B663B69E7B6349F504827F521822E1DF65AC14EA2C

Function 004AE9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 004AEA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 004AEA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 004AEA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 004AEA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 004AEAA7

Strings

alias PlayMe, xrefs: 004AEA36
play PlayMe, xrefs: 004AEAA2
close PlayMe, xrefs: 004AEA6E, 004AEA9B
status PlayMe mode, xrefs: 004AEA58
open , xrefs: 004AEA0C
play PlayMe wait, xrefs: 004AEA91

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 6b54a5211cb4e78ba977c7629484372726e93554c7a9fd18034ebe0f12c2a222
Instruction ID: 1e0731cb1aef30cd31610be7b8619a7985704d62c5d5167a954ba3ad015adf7f
Opcode Fuzzy Hash: 6b54a5211cb4e78ba977c7629484372726e93554c7a9fd18034ebe0f12c2a222
Instruction Fuzzy Hash: 6D117371A9025979E720A7A6DC4AEFF6EBCFBD2F04F44082B7811A20D1EE740D15C5B4

Function 004A5CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 004A5CE2
GetWindowRect.USER32(00000000,?), ref: 004A5CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 004A5D59
GetDlgItem.USER32(?,00000002), ref: 004A5D69
GetWindowRect.USER32(00000000,?), ref: 004A5D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 004A5DCF
GetDlgItem.USER32(?,000003E9), ref: 004A5DDD
GetWindowRect.USER32(00000000,?), ref: 004A5DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 004A5E31
GetDlgItem.USER32(?,000003EA), ref: 004A5E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 004A5E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 004A5E67

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: d8ab6eac564c28ed43bd315e52fd17e53c8f5216d38b4bbaa8824c9ea2df4af2
Instruction ID: 8025beead35433bcbfa894cf3b113f742572bf09ba15338ab6817d2b57ff4699
Opcode Fuzzy Hash: d8ab6eac564c28ed43bd315e52fd17e53c8f5216d38b4bbaa8824c9ea2df4af2
Instruction Fuzzy Hash: 12511071B00606AFDF18CFA8DD89AAEBBB5FB59310F14812AF515E7290D7749E00CB54

Function 00458BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00458F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00458BE8,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 00458FC5

DestroyWindow.USER32(?), ref: 00458C81
KillTimer.USER32(00000000,?,?,?,?,00458BBA,00000000,?), ref: 00458D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00496973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 004969A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00458BBA,00000000,?), ref: 004969B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00458BBA,00000000), ref: 004969D4
DeleteObject.GDI32(00000000), ref: 004969E6

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 01e2c28634c45e215f6a264d7ebe29cc524f6c3c153fc55f2abb909c3d2379df
Instruction ID: fac06a0071a65afe4b302710c687a75a5e5b44d627ce91bde6b78f4f3b106c70
Opcode Fuzzy Hash: 01e2c28634c45e215f6a264d7ebe29cc524f6c3c153fc55f2abb909c3d2379df
Instruction Fuzzy Hash: 5361CD30102A01DFCF229F15D948B6A7BF1FB50316F10856FE542AA661CB39AC89DF9D

Function 00459838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00459944: GetWindowLongW.USER32(?,000000EB), ref: 00459952

GetSysColor.USER32(0000000F), ref: 00459862

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: d6d585fdf9025992d3808c85545f581a4f4045d0cca6dff49c4dff52eb98e95f
Instruction ID: 8a02076f2f5f77d2a994f8750f7b42d9ca51fd81e508833349f74abd47b5310b
Opcode Fuzzy Hash: d6d585fdf9025992d3808c85545f581a4f4045d0cca6dff49c4dff52eb98e95f
Instruction Fuzzy Hash: D141B531115610EFDF206F389C84BBA3BA5AB06331F144627FDA28B2E2D7359C46DB19

Function 00478D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.F, xrefs: 0047903A, 00478FD0, 00478FF2

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: .F
API String ID: 0-907655787
Opcode ID: 37e621771cf8e4cbb77e109ff4421e1903e7816c78f9b0a2cee663be812a2184
Instruction ID: 560dff50c83d399baf38652766be966e7e62b981ef7fd5e6b8ab28a65cd7b694
Opcode Fuzzy Hash: 37e621771cf8e4cbb77e109ff4421e1903e7816c78f9b0a2cee663be812a2184
Instruction Fuzzy Hash: 89C10874904285AFCF11DFA9D845BEEBBB0AF09314F04809FE55897392C7798D41CB69

Function 004A96E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0048F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 004A9717
LoadStringW.USER32(00000000,?,0048F7F8,00000001), ref: 004A9720

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0048F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 004A9742
LoadStringW.USER32(00000000,?,0048F7F8,00000001), ref: 004A9745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 004A9866

Strings

Line %d (File "%s"):, xrefs: 004A978F
Line %d:, xrefs: 004A97A0
%s (%d) : ==> %s: %s %s, xrefs: 004A984A
^ ERROR, xrefs: 004A97FB
Error: , xrefs: 004A981D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 290971066111bf094c26d0303308038a2c122ef348f2470aeef74d581d1ef5f0
Instruction ID: a4824d9b8aee4c59057fdb22b96538c762001f0df5a483f9f4ca1ee98f82a3e6
Opcode Fuzzy Hash: 290971066111bf094c26d0303308038a2c122ef348f2470aeef74d581d1ef5f0
Instruction Fuzzy Hash: 91415E72800209AAEF04FFE1DD86DEE7778AF15744F50042AB60172092EB396F58DB69

Function 004A06DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004A07A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004A07BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004A07DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 004A0804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 004A082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004A0837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 004A083C

Strings

\IPC$, xrefs: 004A0784
\CLSID, xrefs: 004A0724
SOFTWARE\Classes\, xrefs: 004A070E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: a5452e32f522ba3c326aa17525912da9c4f3d417924510653561d018e6082925
Instruction ID: 6f3d916566a41965418ff5cec671c48d440b8f3260e7acd3b4bb56df12e57766
Opcode Fuzzy Hash: a5452e32f522ba3c326aa17525912da9c4f3d417924510653561d018e6082925
Instruction Fuzzy Hash: B3410A72C10229ABDF11EFA5DC95CEEB778FF14754F04452AE901A31A1EB385E14CB94

Function 004C3C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C3C5C
CoInitialize.OLE32(00000000), ref: 004C3C8A
CoUninitialize.OLE32 ref: 004C3C94
_wcslen.LIBCMT ref: 004C3D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 004C3DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 004C3ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 004C3F0E
CoGetObject.OLE32(?,00000000,004DFB98,?), ref: 004C3F2D
SetErrorMode.KERNEL32(00000000), ref: 004C3F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004C3FC4
VariantClear.OLEAUT32(?), ref: 004C3FD8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e672205afc5c5b2066de14a6f4d69df865e21aea9470df745c006064c14dd603
Instruction ID: a84987989226c92a782a6340020b9c0f8592ea422a3ab4dd241326cf1d4e666d
Opcode Fuzzy Hash: e672205afc5c5b2066de14a6f4d69df865e21aea9470df745c006064c14dd603
Instruction Fuzzy Hash: 75C135756082019FD740DF69C884E2BB7E9FF89749F00892EF98A9B250D734ED06CB56

Function 004B7A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004B7AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 004B7B8F
SHGetDesktopFolder.SHELL32(?), ref: 004B7BA3
CoCreateInstance.OLE32(004DFD08,00000000,00000001,00506E6C,?), ref: 004B7BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 004B7C74
CoTaskMemFree.OLE32(?,?), ref: 004B7CCC
SHBrowseForFolderW.SHELL32(?), ref: 004B7D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 004B7D7A
CoTaskMemFree.OLE32(00000000), ref: 004B7D81
CoTaskMemFree.OLE32(00000000), ref: 004B7DD6
CoUninitialize.OLE32 ref: 004B7DDC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4e624ce12831767e5c8b050021cd0e8aabe2b8ce17016fd733566700d7a1d0f3
Instruction ID: cc6026e57c6da63cc7bb305a9e306f3638dd18adce957f56392dec946a98acfc
Opcode Fuzzy Hash: 4e624ce12831767e5c8b050021cd0e8aabe2b8ce17016fd733566700d7a1d0f3
Instruction Fuzzy Hash: CCC12B75A04105AFDB14DF64C888DAEBBB9FF48308B1484AAF81A9B361D734ED45CB94

Function 004D541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 004D5504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D5515
CharNextW.USER32(00000158), ref: 004D5544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 004D5585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 004D559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D55AC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 175b97ef5795904b7d2201453a2249b6d87b3988ba6b2761488239fdf5edb42d
Instruction ID: dc48f658b94238dd445c9a0c68d609948e60eebcf3f12584cefca3247aed5bf2
Opcode Fuzzy Hash: 175b97ef5795904b7d2201453a2249b6d87b3988ba6b2761488239fdf5edb42d
Instruction Fuzzy Hash: CD61AF70900609ABDF10DF54CCA4AFF7BB9EB06360F10415BF925A6390DB788A81DB69

Function 0049FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0049FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0049FB08
VariantInit.OLEAUT32(?), ref: 0049FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0049FB3A
VariantCopy.OLEAUT32(?,?), ref: 0049FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0049FBA1
VariantClear.OLEAUT32(?), ref: 0049FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0049FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0049FBCC
VariantClear.OLEAUT32(?), ref: 0049FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0049FBE9

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0b25bbb83c11fe5cb213a46b5b50e83bff1be6c81844fc5d39fe85896c1fbeed
Instruction ID: 86e55309b752d91e3dfeba8b2cec71db397338d54a7fc3cafeacdb9cc508c34a
Opcode Fuzzy Hash: 0b25bbb83c11fe5cb213a46b5b50e83bff1be6c81844fc5d39fe85896c1fbeed
Instruction Fuzzy Hash: AB415135A002199FCF00DF64C8989AEBFB9EF48344F00807AE915E7261D734A949CF94

Function 004A9C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 004A9CA1
GetAsyncKeyState.USER32(000000A0), ref: 004A9D22
GetKeyState.USER32(000000A0), ref: 004A9D3D
GetAsyncKeyState.USER32(000000A1), ref: 004A9D57
GetKeyState.USER32(000000A1), ref: 004A9D6C
GetAsyncKeyState.USER32(00000011), ref: 004A9D84
GetKeyState.USER32(00000011), ref: 004A9D96
GetAsyncKeyState.USER32(00000012), ref: 004A9DAE
GetKeyState.USER32(00000012), ref: 004A9DC0
GetAsyncKeyState.USER32(0000005B), ref: 004A9DD8
GetKeyState.USER32(0000005B), ref: 004A9DEA

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 47d7bead955a7e9b417ecd2702975da6fd474f86bb0d7188eb9bcd51438afca1
Instruction ID: 5c872d40948fecb9f7c062da0168a56dfb62cf8d837d3524ffaca164c31445d6
Opcode Fuzzy Hash: 47d7bead955a7e9b417ecd2702975da6fd474f86bb0d7188eb9bcd51438afca1
Instruction Fuzzy Hash: 4141B834504BCA69FF31966084443B7BEA06F33354F48805BD6C6567C2D7AD9DC4C79A

Function 004C055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004C05BC
inet_addr.WSOCK32(?), ref: 004C061C
gethostbyname.WSOCK32(?), ref: 004C0628
IcmpCreateFile.IPHLPAPI ref: 004C0636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 004C06C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 004C06E5
IcmpCloseHandle.IPHLPAPI(?), ref: 004C07B9
WSACleanup.WSOCK32 ref: 004C07BF

Strings

Ping, xrefs: 004C0676

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: b663679bca8365e93b0c70bded945f0b7f83f9396c5f583f14110bbd5f9b1c76
Instruction ID: 3cfc1af65c91c085351036befba3304f97affb0b364a81715ee517bbc7e92d1b
Opcode Fuzzy Hash: b663679bca8365e93b0c70bded945f0b7f83f9396c5f583f14110bbd5f9b1c76
Instruction Fuzzy Hash: 51919B38609201EFD764DF15C489F1ABBE0AF44318F1485AEE4698B7A2C738ED45CF86

Function 004C8CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 004C8CF3

Part of subcall function 004A8E54: _wcslen.LIBCMT ref: 004A8E77

_wcslen.LIBCMT ref: 004C8D4E
_wcslen.LIBCMT ref: 004C8D9C
_wcslen.LIBCMT ref: 004C8DDC
_wcslen.LIBCMT ref: 004C8E6E

Strings

stdcall, xrefs: 004C8DD6, 004C8DDB
cdecl, xrefs: 004C8D48, 004C8D4D
winapi, xrefs: 004C8D96, 004C8D9B
none, xrefs: 004C8E65, 004C8E6A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 743d0407417a60069d8372ca2217ae10a54a83cbf03a3790d9f2a73b324dc4d9
Instruction ID: a4c4cc91180ebd4aee95765531939b8e34d929b53150667649cbcfe8f671f405
Opcode Fuzzy Hash: 743d0407417a60069d8372ca2217ae10a54a83cbf03a3790d9f2a73b324dc4d9
Instruction Fuzzy Hash: EE519D35A001169BCB54DF68C940ABFB7A5BF65324B20422FE826E73C5EB39DD40C798

Function 004C372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 004C3774
CoUninitialize.OLE32 ref: 004C377F
CoCreateInstance.OLE32(?,00000000,00000017,004DFB78,?), ref: 004C37D9
IIDFromString.OLE32(?,?), ref: 004C384C
VariantInit.OLEAUT32(?), ref: 004C38E4
VariantClear.OLEAUT32(?), ref: 004C3936

Strings

Failed to create object, xrefs: 004C37E4, 004C389A
Invalid parameter, xrefs: 004C3865
NULL Pointer assignment, xrefs: 004C381E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 31e0269cde4e8ad24dd7347f3b5408e362a04fe097866eaae3eb9076652757d1
Instruction ID: 51e5c8953608f785d01f228cb0cb84cbfdfbed3f063603b7ce6c74e9fb0b8530
Opcode Fuzzy Hash: 31e0269cde4e8ad24dd7347f3b5408e362a04fe097866eaae3eb9076652757d1
Instruction Fuzzy Hash: 7C618274608301AFD310EF55C849F5AB7E4EF49716F00881EF54597291C778EE49CBAA

Function 004D8B02 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

Part of subcall function 0045912D: GetCursorPos.USER32(?), ref: 00459141
Part of subcall function 0045912D: ScreenToClient.USER32(00000000,?), ref: 0045915E
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000001), ref: 00459183
Part of subcall function 0045912D: GetAsyncKeyState.USER32(00000002), ref: 0045919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 004D8B6B
ImageList_EndDrag.COMCTL32 ref: 004D8B71
ReleaseCapture.USER32 ref: 004D8B77
SetWindowTextW.USER32(?,00000000), ref: 004D8C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 004D8C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 004D8CFF

Strings

@GUI_DROPID, xrefs: 004D8C51
@GUI_DRAGFILE, xrefs: 004D8C9A
p#Q, xrefs: 004D8C71

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#Q
API String ID: 1924731296-1626033487
Opcode ID: 3ec9cfe4e773f77d4f4cf23c866252d2e24280071cd1aa2f64ad129cdb4305c3
Instruction ID: 28eac5eef2c41ef5e6c08d61097aecc90af9ffb86457c594b6eb6483159ad2fb
Opcode Fuzzy Hash: 3ec9cfe4e773f77d4f4cf23c866252d2e24280071cd1aa2f64ad129cdb4305c3
Instruction Fuzzy Hash: BD518D70105204AFE700EF15DCA5BAA77E4FB88754F00066EF952572E1DB749D08CB6A

Function 004B3388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 004B33CF

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 004B33F0

Strings

Line %d (File "%s"):, xrefs: 004B3443, 004B345C
"%s" (%d) : ==> %s:%s%s, xrefs: 004B3504
"%s" (%d) : ==> %s:, xrefs: 004B3522
Incorrect parameters to object property !, xrefs: 004B34AB
^ ERROR , xrefs: 004B349E
Error: , xrefs: 004B34D1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 8f7a553dbca46bf7f13a731cdd00b211175b9dfcfa9435f393b5e6860a677f70
Instruction ID: 289b72da7b3a03d791f328ffb47dd04cfda2d24b2202c8020d0dbdd737c5f328
Opcode Fuzzy Hash: 8f7a553dbca46bf7f13a731cdd00b211175b9dfcfa9435f393b5e6860a677f70
Instruction Fuzzy Hash: B651D231900109BAEF14EFA1CD46EEEB778AF14749F10406AF50572092DB392F58DB69

Function 004AB5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 004AB5FC
_wcslen.LIBCMT ref: 004AB608
_wcslen.LIBCMT ref: 004AB64D
_wcslen.LIBCMT ref: 004AB68C
_wcslen.LIBCMT ref: 004AB6C7

Strings

APPEND, xrefs: 004AB6C1, 004AB6C6
REMOVE, xrefs: 004AB602, 004AB607
KEYS, xrefs: 004AB647, 004AB64C
EXISTS, xrefs: 004AB686, 004AB68B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 963dfe7c3bdc461b1a5192b9690d10f65212161070cf5b056dd4801f6197d378
Instruction ID: ed6aac5e941582bd447c76a36e75cdba909cc26188b70ef77df02fba8728d88d
Opcode Fuzzy Hash: 963dfe7c3bdc461b1a5192b9690d10f65212161070cf5b056dd4801f6197d378
Instruction Fuzzy Hash: 2441D432A001269ACB105F7D88905BF77A5EBB2758B24412BE461DB386E739CD81C7D5

Function 004B5393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B53A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 004B5416
GetLastError.KERNEL32 ref: 004B5420
SetErrorMode.KERNEL32(00000000,READY), ref: 004B54A7

Strings

READONLY, xrefs: 004B5452
READY, xrefs: 004B5460, 004B5468
INVALID, xrefs: 004B5459
NOTREADY, xrefs: 004B544B
UNKNOWN, xrefs: 004B5444

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 46bc3ea60578710bb73a459ebf58068e19fb0861446c15b4a1728fba2d9fe0f4
Instruction ID: a361114cabaeffe2bd6bf3cbdc9f1ab1a491e4915d9ae7350a166f2db07b9c0d
Opcode Fuzzy Hash: 46bc3ea60578710bb73a459ebf58068e19fb0861446c15b4a1728fba2d9fe0f4
Instruction Fuzzy Hash: BF318F35A006059FDB10DF68D488BEABBB4FB45309F14806BE405CB392D779DD86CBA5

Function 004D3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 004D3C79
SetMenu.USER32(?,00000000), ref: 004D3C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D3D10
IsMenu.USER32(?), ref: 004D3D24
CreatePopupMenu.USER32 ref: 004D3D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004D3D5B
DrawMenuBar.USER32 ref: 004D3D63

Strings

F, xrefs: 004D3D4E
0, xrefs: 004D3C54

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 614e15d0731964440c1ed621d85bce6f004090904a01c051c4d384726ccbebb9
Instruction ID: 45b9bb1d052f631ac3cf69eba3b1afcdba3fbbeb082fb1fee560747cae313cdb
Opcode Fuzzy Hash: 614e15d0731964440c1ed621d85bce6f004090904a01c051c4d384726ccbebb9
Instruction Fuzzy Hash: 80417E75A0120AEFDF14CF64E8A4ADA77B6FF49351F14002AF94697360D734AA10CF59

Function 004A1EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 004A1F64
GetDlgCtrlID.USER32 ref: 004A1F6F
GetParent.USER32 ref: 004A1F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A1F8E
GetDlgCtrlID.USER32(?), ref: 004A1F97
GetParent.USER32(?), ref: 004A1FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 004A1FAE

Strings

ListBox, xrefs: 004A1F21
ComboBox, xrefs: 004A1EEC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 9fa1709b8a8b0dc904c7928f284967eeee461447e0a2ca6b7e00a48f437da276
Instruction ID: f5c7be50a931bf27c86910526ec7639202ce470d87a3b807a6d1f0486944582c
Opcode Fuzzy Hash: 9fa1709b8a8b0dc904c7928f284967eeee461447e0a2ca6b7e00a48f437da276
Instruction Fuzzy Hash: 9121B075900214BFDF04AFA0DC85DEEBBB8EF26354F00011BB961672E1DB389904DB68

Function 004D3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 004D3A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 004D3AA0
GetWindowLongW.USER32(?,000000F0), ref: 004D3AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004D3AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 004D3B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 004D3BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004D3BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 004D3BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 004D3BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 004D3C13

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 49a514794b7ebca6d930d070e56aa01e774dc6c93a0e0c60509f15441701a7c4
Instruction ID: ef94fb0efb48d4861ed8a2e6318f36124b4d066f59b6d755ade031678a1fbff2
Opcode Fuzzy Hash: 49a514794b7ebca6d930d070e56aa01e774dc6c93a0e0c60509f15441701a7c4
Instruction Fuzzy Hash: D1617975A00208AFDB10DFA8CC91EEE77B8EB09704F10419BFA15A73A2D774AE45DB54

Function 004AB12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004AB151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB165
GetWindowThreadProcessId.USER32(00000000), ref: 004AB16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 004AB18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,004AA1E1,?,00000001), ref: 004AB21D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f7a79e6be196df47785fd8f7f86215ff970d9a9da1c1f2d71380e6a30f120684
Instruction ID: 7715f3740331e5420b40fd37d1d324d4b2eb97fd5e93cfde2c07094da488ee95
Opcode Fuzzy Hash: f7a79e6be196df47785fd8f7f86215ff970d9a9da1c1f2d71380e6a30f120684
Instruction Fuzzy Hash: E531A072541205BFDB109F64EC9CBAE7BA9FB76391F108057F900D6291E7B89904CFA8

Function 00472C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00472C94

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 00472CA0
_free.LIBCMT ref: 00472CAB
_free.LIBCMT ref: 00472CB6
_free.LIBCMT ref: 00472CC1
_free.LIBCMT ref: 00472CCC
_free.LIBCMT ref: 00472CD7
_free.LIBCMT ref: 00472CE2
_free.LIBCMT ref: 00472CED
_free.LIBCMT ref: 00472CFB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: aebb17aa106131ab861c1e68e5ea04c1e22dbb2af2e4a09f87f3d58975d57af0
Instruction ID: 0ba3b8f7b91fd406bf8d2d1919e05e77fa0f5982a4ff7400bf81e1149e669720
Opcode Fuzzy Hash: aebb17aa106131ab861c1e68e5ea04c1e22dbb2af2e4a09f87f3d58975d57af0
Instruction Fuzzy Hash: 52110AF5200008AFCB02EF65DA42CDD7B65FF05344F44809AFA4C5F222D675EE949B94

Function 004B7DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 004B7FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 004B7FC1
GetFileAttributesW.KERNEL32(?), ref: 004B7FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 004B8005
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8017
SetCurrentDirectoryW.KERNEL32(?), ref: 004B8060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 004B80B0

Strings

*.*, xrefs: 004B8066

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 7d3b40505bf7d096850dcaf84dfd87411f6d563d969e6fe2cbd9fb05242adb09
Instruction ID: 56d5c8a5a28bd6807d202643043f4ca5e4a9652bd61248bcd9569d178b81017f
Opcode Fuzzy Hash: 7d3b40505bf7d096850dcaf84dfd87411f6d563d969e6fe2cbd9fb05242adb09
Instruction Fuzzy Hash: C5817E715082419BDB20EF15C4849ABB3E8AFC9354F144C6FF885D7250EB39DD49CB6A

Function 00445BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00445C7A

Part of subcall function 00445D0A: GetClientRect.USER32(?,?), ref: 00445D30
Part of subcall function 00445D0A: GetWindowRect.USER32(?,?), ref: 00445D71
Part of subcall function 00445D0A: ScreenToClient.USER32(?,?), ref: 00445D99

GetDC.USER32 ref: 004846F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00484708
SelectObject.GDI32(00000000,00000000), ref: 00484716
SelectObject.GDI32(00000000,00000000), ref: 0048472B
ReleaseDC.USER32(?,00000000), ref: 00484733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 004847C4

Strings

U, xrefs: 00484693

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7f382ea5cb6f26f31b4c7808c94b90fe8f32831674c9443cd76927ef03ec3865
Instruction ID: b6243a5f60f5ac163331f7952c2bda72984b2bd8d9ebeee4d4f63d540300dd59
Opcode Fuzzy Hash: 7f382ea5cb6f26f31b4c7808c94b90fe8f32831674c9443cd76927ef03ec3865
Instruction Fuzzy Hash: 7F71F330400206DFDF21AF64C984ABE7BB1FF86324F14466BED515A2A6D7398842DF59

Function 004B359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004B35E4

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

LoadStringW.USER32(00512390,?,00000FFF,?), ref: 004B360A

Strings

Line %d (File "%s"):, xrefs: 004B366B
"%s" (%d) : ==> %s:%s%s, xrefs: 004B3724
"%s" (%d) : ==> %s:, xrefs: 004B3742
^ ERROR, xrefs: 004B36C9
Error: , xrefs: 004B36EF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 0ed085f5c5e6595c87a2183925352561f9d0a3d805b520be27ae2c0e3a15642d
Instruction ID: 89feca932b25eb1934f002c45981a3138d9e7feaa22e967ad3dd4ccbd8e43e3e
Opcode Fuzzy Hash: 0ed085f5c5e6595c87a2183925352561f9d0a3d805b520be27ae2c0e3a15642d
Instruction Fuzzy Hash: FC519471800509BAEF14EFA1CC81EEEBB74AF14705F14416AF50572191DB381B99DF69

Function 004BC253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004BC272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004BC29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004BC2CA
GetLastError.KERNEL32 ref: 004BC322
SetEvent.KERNEL32(?), ref: 004BC336
InternetCloseHandle.WININET(00000000), ref: 004BC341

Strings

, xrefs: 004BC2BB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 15b851f1451f0355dff9657068b37e56859aeabed1a0a91bddc0234ee3789367
Instruction ID: d12884eb4a65cfe9831250f70e7a97f93005dc25e37f68aefdc3630dda6740db
Opcode Fuzzy Hash: 15b851f1451f0355dff9657068b37e56859aeabed1a0a91bddc0234ee3789367
Instruction Fuzzy Hash: 2D317171601205AFD7219F658CC4AEB7BFCEB49744B54852FF886D2200DB38DD059BB9

Function 004A989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00483AAF,?,?,Bad directive syntax error,004DCC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 004A98BC
LoadStringW.USER32(00000000,?,00483AAF,?), ref: 004A98C3

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 004A9987

Strings

Error: , xrefs: 004A9955
Line %d (File "%s"):, xrefs: 004A992D
., xrefs: 004A996D
Line %d:, xrefs: 004A9912
%s (%d) : ==> %s.: %s %s, xrefs: 004A98F1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 2bdf4f05aa46bbe259827325a9d760e62a0e2e52d37d72f743b3548720c5ce72
Instruction ID: db3fadc2fa801c09b6b034043833da2a96834c0cff69deed8c4cfc9b732ae71c
Opcode Fuzzy Hash: 2bdf4f05aa46bbe259827325a9d760e62a0e2e52d37d72f743b3548720c5ce72
Instruction Fuzzy Hash: 6821D23280020AFBDF11AF90CC4AEEE3739BF14704F04042BF515220A2EB389A28DB55

Function 004A209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 004A20AB
GetClassNameW.USER32(00000000,?,00000100), ref: 004A20C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 004A214D

Strings

SHELLDLL_DefView, xrefs: 004A20CC
largeicons, xrefs: 004A20E1
smallicons, xrefs: 004A2115
list, xrefs: 004A212F
details, xrefs: 004A20FB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b8198aa6e0ca5c09d75d16426c9aab8d22ac6b084da093975505dfaea1cbf71f
Instruction ID: 60df70ff62491273c9fff2d1bdf62acfe89a4f5d0518ed9aaacdb005b56aa79b
Opcode Fuzzy Hash: b8198aa6e0ca5c09d75d16426c9aab8d22ac6b084da093975505dfaea1cbf71f
Instruction Fuzzy Hash: 8A11207668470775FA012625DD07DAB379CDF16314F20012BF705A51D1FEE9AC42691D

Function 0047CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0047CEB7
_free.LIBCMT ref: 0047CF22
_free.LIBCMT ref: 0047CF48
_free.LIBCMT ref: 0047CF71
_free.LIBCMT ref: 0047CFA9
_free.LIBCMT ref: 0047CFDA
_free.LIBCMT ref: 0047D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0047D09C
_free.LIBCMT ref: 0047D0B5

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 7512a94352c9d2d7db5226a3f5c9ec695be6c04f4991c868b0f733b4a0954bd9
Instruction ID: 8998aa18cf2f96a98cc445552d8a12f738e25ffa69d6fb7e681a71822c40bc0c
Opcode Fuzzy Hash: 7512a94352c9d2d7db5226a3f5c9ec695be6c04f4991c868b0f733b4a0954bd9
Instruction Fuzzy Hash: EB6167B1A04200AFCB21AFB5A8C1AEE7BA5AF01324F04C16FF94C973C1D67D99458798

Function 004D50D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 004D5186
ShowWindow.USER32(?,00000000), ref: 004D51C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 004D51CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 004D51D1

Part of subcall function 004D6FBA: DeleteObject.GDI32(00000000), ref: 004D6FE6

GetWindowLongW.USER32(?,000000F0), ref: 004D520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004D524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 004D5287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 004D5296

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: ca64b5ae814ac157c5aff9d3b0caf43bb4ef10106ae2fc658fdc62e2b1188733
Instruction ID: 271e8283f0750d73b841dcb81508e3844a960d5895b893f6e4f70c3c0d6d9416
Opcode Fuzzy Hash: ca64b5ae814ac157c5aff9d3b0caf43bb4ef10106ae2fc658fdc62e2b1188733
Instruction Fuzzy Hash: 1751B030A40A09FEEF209F25CC69BD93B71EB05365F144057FA24963E1CB79A988DF49

Function 00458B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00496890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 004968A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 004968B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 004968D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 004968F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00458874,00000000,00000000,00000000,000000FF,00000000), ref: 00496901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0049691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00458874,00000000,00000000,00000000,000000FF,00000000), ref: 0049692D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: d26b87c3ec0cc63a5604e2c480ad1b71e1ec560614691cb08f5f59c00dc797f1
Instruction ID: 3d9d252fd6670256bf7d472955d5b17426a994a3c40cb45c316a390f91522449
Opcode Fuzzy Hash: d26b87c3ec0cc63a5604e2c480ad1b71e1ec560614691cb08f5f59c00dc797f1
Instruction Fuzzy Hash: 7A518B70600209EFDB20CF25CC91FAA7BB9FB54351F10452EF952A72A0DB78E955DB48

Function 004BC143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004BC182
GetLastError.KERNEL32 ref: 004BC195
SetEvent.KERNEL32(?), ref: 004BC1A9

Part of subcall function 004BC253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 004BC272
Part of subcall function 004BC253: GetLastError.KERNEL32 ref: 004BC322
Part of subcall function 004BC253: SetEvent.KERNEL32(?), ref: 004BC336
Part of subcall function 004BC253: InternetCloseHandle.WININET(00000000), ref: 004BC341

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 3d222d4571ad41a43c9b383e354691c142bd969bfc41157a36649bf9fcc2c101
Instruction ID: f9df2617791211eb2f39e988012895d8db24782670b1aa82498a0df620bffa4b
Opcode Fuzzy Hash: 3d222d4571ad41a43c9b383e354691c142bd969bfc41157a36649bf9fcc2c101
Instruction Fuzzy Hash: A5318D71A01602AFDB259FA59CC4AA7BBE9FF58300B00446FF95686610C734E810DBB8

Function 004A25A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A3A57
Part of subcall function 004A3A3D: GetCurrentThreadId.KERNEL32 ref: 004A3A5E
Part of subcall function 004A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A25B3), ref: 004A3A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 004A25BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004A25DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 004A25DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 004A25E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004A2601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 004A2605
MapVirtualKeyW.USER32(00000025,00000000), ref: 004A260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004A2623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 004A2627

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 909944f577f2669676cef74bab3037bcc196fcc7eb2671ba074d5b9379709817
Instruction ID: 8631db7f7a30711a9c15e0dc5eb50f0979069d6aaad4fe4558ce54345911e352
Opcode Fuzzy Hash: 909944f577f2669676cef74bab3037bcc196fcc7eb2671ba074d5b9379709817
Instruction Fuzzy Hash: 2E01B130691220BBFB106B699CCAF593F59EB5AB12F100016F318AE0D1C9E26444DA6E

Function 004A1803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,004A1449,?,?,00000000), ref: 004A180C
HeapAlloc.KERNEL32(00000000,?,004A1449,?,?,00000000), ref: 004A1813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004A1449,?,?,00000000), ref: 004A1828
GetCurrentProcess.KERNEL32(?,00000000,?,004A1449,?,?,00000000), ref: 004A1830
DuplicateHandle.KERNEL32(00000000,?,004A1449,?,?,00000000), ref: 004A1833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,004A1449,?,?,00000000), ref: 004A1843
GetCurrentProcess.KERNEL32(004A1449,00000000,?,004A1449,?,?,00000000), ref: 004A184B
DuplicateHandle.KERNEL32(00000000,?,004A1449,?,?,00000000), ref: 004A184E
CreateThread.KERNEL32(00000000,00000000,004A1874,00000000,00000000,00000000), ref: 004A1868

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: dc6495899f31bcdcdf009a46f695579bca38253cfd411dd27686dacfdbf80979
Instruction ID: bdf6b4eaa9eeae5254ed24fe74737f8e8b07cfa4fa553a3be1d1247a8ecd04ae
Opcode Fuzzy Hash: dc6495899f31bcdcdf009a46f695579bca38253cfd411dd27686dacfdbf80979
Instruction Fuzzy Hash: 4C01BFB5281315BFE710AB65DC8DF5B3B6CEB89B11F004421FA05DB1A1C6749C00CF24

Function 00473E80 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00473F0B
__alldvrm.LIBCMT ref: 0047410C
__alldvrm.LIBCMT ref: 0047412E

Strings

}}F, xrefs: 00473E8A
}}F, xrefs: 00473E96, 00473EF1, 00473F0A, 00474090
}}F, xrefs: 004740CD

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: }}F$}}F$}}F
API String ID: 1036877536-383095928
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: f3e6061c1718ba565ccc466e0c020b4cab50d8d097cf18c0bee654123dbbbaf0
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: BCA13771A002869FDB11DE18C8917FEBBE4EFA1354F14816FE5999B381C33C9982C759

Function 004CA0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 004AD4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 004AD501
Part of subcall function 004AD4DC: Process32FirstW.KERNEL32(00000000,?), ref: 004AD50F
Part of subcall function 004AD4DC: CloseHandle.KERNELBASE(00000000), ref: 004AD5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 004CA16D
GetLastError.KERNEL32 ref: 004CA180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 004CA1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 004CA268
GetLastError.KERNEL32(00000000), ref: 004CA273
CloseHandle.KERNEL32(00000000), ref: 004CA2C4

Strings

SeDebugPrivilege, xrefs: 004CA18F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 32bc00c4b239634de8ebd2e346d0508e513fd0a226e27a484f93fa4f809ed43c
Instruction ID: 2ff1938ce34f780f0a64fd94d7596f15b2ee2de312a4735abe33709841a61638
Opcode Fuzzy Hash: 32bc00c4b239634de8ebd2e346d0508e513fd0a226e27a484f93fa4f809ed43c
Instruction Fuzzy Hash: 2561BF342052429FE720DF15C494F16BBE1AF4431CF18849EE4568B7A3C77AEC49CB8A

Function 004D3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004D3925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 004D393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 004D3954
_wcslen.LIBCMT ref: 004D3999
SendMessageW.USER32(?,00001057,00000000,?), ref: 004D39C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 004D39F4

Strings

SysListView32, xrefs: 004D38F7

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: c9e292629c104426d97e19e0eff4e73fe987805318f3b8a725e09d4cab64ef0a
Instruction ID: 25a7ecb3745f3a40b8832d9d99d8b10ec833bf11532d6485dc218388bc3bb7af
Opcode Fuzzy Hash: c9e292629c104426d97e19e0eff4e73fe987805318f3b8a725e09d4cab64ef0a
Instruction Fuzzy Hash: D941C171A00209ABEF219F64CC55BEB7BA9EF08354F10056BF948E7381D7759D84CB98

Function 004ABC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004ABCFD
IsMenu.USER32(00000000), ref: 004ABD1D
CreatePopupMenu.USER32 ref: 004ABD53
GetMenuItemCount.USER32(00D85B38), ref: 004ABDA4
InsertMenuItemW.USER32(00D85B38,?,00000001,00000030), ref: 004ABDCC

Strings

2, xrefs: 004ABD37
0, xrefs: 004ABCA8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: f6ff5cf6039889734dc2f11559b9f4903c15cbe3c2e2bb6b09886ecc51f77f5f
Instruction ID: 3c5c0361c0a5841879fd5d04493612cb6da1e4210aa0e88315f0744e42ee0d3f
Opcode Fuzzy Hash: f6ff5cf6039889734dc2f11559b9f4903c15cbe3c2e2bb6b09886ecc51f77f5f
Instruction Fuzzy Hash: 2E51CD70A00205ABDF11CFB9D8C4BAEBBF5EF66314F14422BE4419B392D7789941CB99

Function 00462D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00462D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00462D53
_ValidateLocalCookies.LIBCMT ref: 00462DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00462E0C
_ValidateLocalCookies.LIBCMT ref: 00462E61

Strings

&HF, xrefs: 00462DFE, 00462E07, 00462E18
csm, xrefs: 00462DF6

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &HF$csm
API String ID: 1170836740-2649640693
Opcode ID: a1c496db19a748f7fecd5b7b189eaaf0d6d7c34c0b55bf4f9e38e2a780a85360
Instruction ID: 875ed444d15d527e8af61c4012b13fae0218efa7271b61c8fe7120f7e3cf08dd
Opcode Fuzzy Hash: a1c496db19a748f7fecd5b7b189eaaf0d6d7c34c0b55bf4f9e38e2a780a85360
Instruction Fuzzy Hash: 7E41F834A00609BBCF10DF69C944ADFBBB4BF45319F14816BE8146B352E7B99A01CBD6

Function 004AC874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 004AC913

Strings

blank, xrefs: 004AC895
info, xrefs: 004AC8B4
question, xrefs: 004AC8CC
warning, xrefs: 004AC8FC
stop, xrefs: 004AC8E4

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 8f263f146b2c9e421d376799c5979851b965187df7f7fe4b3fdf0cf41e874e18
Instruction ID: 16b6ea95b1709cc9724e4b5dfe8e55fb97f2da5c576e3d4bc793332f902448f8
Opcode Fuzzy Hash: 8f263f146b2c9e421d376799c5979851b965187df7f7fe4b3fdf0cf41e874e18
Instruction Fuzzy Hash: D3112B75789307BAEB416B549CC2CAF27DCEF26319B10002FF500A63C2E7AC5D0052AE

Function 004ADE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004ADE42
gethostname.WSOCK32(?,00000100), ref: 004ADE5C
gethostbyname.WSOCK32(?), ref: 004ADE69
inet_ntoa.WSOCK32(?), ref: 004ADEAB
_strcat.LIBCMT ref: 004ADEB9
WSACleanup.WSOCK32 ref: 004ADEDE

Strings

0.0.0.0, xrefs: 004ADE87

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: d411be07e051d09a22e7801b1a3be3b87d4384d89869eb4cf1b0b024cbb5cc3d
Instruction ID: f3af1f278199b6cc1cbf7ac1cea5a57b0e4e061a83707dda274950cd125067ac
Opcode Fuzzy Hash: d411be07e051d09a22e7801b1a3be3b87d4384d89869eb4cf1b0b024cbb5cc3d
Instruction Fuzzy Hash: B9112471900106AFCB24AB319C4AEEF77ACDF22715F00017BF40696191FF788A81CA69

Function 004AED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 004AED2A
_wcslen.LIBCMT ref: 004AED3B
_wcslen.LIBCMT ref: 004AED79
_wcslen.LIBCMT ref: 004AEDAF
_wcslen.LIBCMT ref: 004AEDDF
_wcslen.LIBCMT ref: 004AEDEF
_wcslen.LIBCMT ref: 004AEE2B
_wcslen.LIBCMT ref: 004AEE5A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 03030b42329bdb120f1bf557848a0e08b7066b4cd98f0166303a6c46383f3569
Instruction ID: 61089c29621f4c03c018c975eff2bf5c02497322de218c5e031bb2b1b370a7aa
Opcode Fuzzy Hash: 03030b42329bdb120f1bf557848a0e08b7066b4cd98f0166303a6c46383f3569
Instruction Fuzzy Hash: 8C41B365D1021875DB11EBF6888A9CFB7A8AF46310F50846BE524E3161FB38E245C3AE

Function 0045F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 0045F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 0049F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 0049F454

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 294d681eb5e4823b955328d1a3d09878e618d51fa5731f021491e0bcb6994c19
Instruction ID: a783f981f3eab997c494d709bb14b585c4ee7a8dcfc3491be260b677bcaca31f
Opcode Fuzzy Hash: 294d681eb5e4823b955328d1a3d09878e618d51fa5731f021491e0bcb6994c19
Instruction Fuzzy Hash: 1D412D71104E40BACB348B29888876B7F91AB56316F54403FE84792762C63DA88DCB1F

Function 004D2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004D2D1B
GetDC.USER32(00000000), ref: 004D2D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004D2D2E
ReleaseDC.USER32(00000000,00000000), ref: 004D2D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 004D2D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004D2D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,004D5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 004D2DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004D2DE1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8b82b2016ee0037bd65550d53c20b18dc26e805112ac20d2e2f631e31d5602ab
Instruction ID: da022ccd91059b4e424e5eb17b663db704d484db4083f15bb9dd614cd121231b
Opcode Fuzzy Hash: 8b82b2016ee0037bd65550d53c20b18dc26e805112ac20d2e2f631e31d5602ab
Instruction Fuzzy Hash: 15319F72202214BFEF114F50CC89FEB3BA9EF19715F044066FE089A291C6B59C41CBA8

Function 004A5622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004A5637
_memcmp.LIBVCRUNTIME ref: 004A5659
_memcmp.LIBVCRUNTIME ref: 004A5671
_memcmp.LIBVCRUNTIME ref: 004A5684
_memcmp.LIBVCRUNTIME ref: 004A569E
_memcmp.LIBVCRUNTIME ref: 004A56B1
_memcmp.LIBVCRUNTIME ref: 004A56C9
_memcmp.LIBVCRUNTIME ref: 004A56E4

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f722c7d1b621303366fab038fbb9ebe1397cba75fa7434abe2b346d8916bbd3b
Instruction ID: 005ae5f3177a376e18ccb004f5961deebc0fcb23072fc9ad72d40bf1aea8fc31
Opcode Fuzzy Hash: f722c7d1b621303366fab038fbb9ebe1397cba75fa7434abe2b346d8916bbd3b
Instruction Fuzzy Hash: 4521AA61641A0577E22455114F92FFB335CAF32788F544027FD1A5AB41F72CED1581AE

Function 004C4FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 004C5007
NULL Pointer assignment, xrefs: 004C502E, 004C5383

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 02fbd16973a26255c9ff3738aebf222eb37a839a7bfa153247bff2a0a08e3b09
Instruction ID: a9f2bec09532a0655e3794246d5f6830b869d37bbe4be8ca48634e73a6e8b997
Opcode Fuzzy Hash: 02fbd16973a26255c9ff3738aebf222eb37a839a7bfa153247bff2a0a08e3b09
Instruction Fuzzy Hash: D0D1BF79A0060A9FDF50CF98C884FAEB7B5BF48344F14806EE915AB281D774ED81CB54

Function 00481522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,004817FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 004815CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00481651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,004817FB,?,004817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004816E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 004816FB

Part of subcall function 00473820: RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004817FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00481777
__freea.LIBCMT ref: 004817A2
__freea.LIBCMT ref: 004817AE

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9415c29822a50cf534b2c9ea2886be18ee35378679dbc8ba913e585e4bb60fe9
Instruction ID: fa4dccd8204f5dd146a8e28286fc9d4ce49fa7fdfc297254b883d7c7c22685ff
Opcode Fuzzy Hash: 9415c29822a50cf534b2c9ea2886be18ee35378679dbc8ba913e585e4bb60fe9
Instruction Fuzzy Hash: 6791B771E00216ABDB20AE64C881EEF7BB99F45314F184A5FE805E7261D73DCC42CB69

Function 004C4523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C4648
VariantInit.OLEAUT32(?), ref: 004C4749
VariantClear.OLEAUT32(?), ref: 004C4753
VariantClear.OLEAUT32(?), ref: 004C47B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 004C45D8, 004C4706, 004C47BE
Incorrect Object type in FOR..IN loop, xrefs: 004C472C

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 4c0f80e736f1a5403db7560fe01196dd7292ad9cca59f082829485e079732b7e
Instruction ID: 29f19847784d5d7a4d6f60b1afed354ba41887118bc72cf56a9dce0de3877e74
Opcode Fuzzy Hash: 4c0f80e736f1a5403db7560fe01196dd7292ad9cca59f082829485e079732b7e
Instruction Fuzzy Hash: AD91D234A00219ABDF60CFA5C994FAFBBB8EF85714F10815EF505AB280D7789945CFA4

Function 004B1187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 004B125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 004B1284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 004B12A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B12D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B13C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 004B1430

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: cd22fbec725aee156c16e021021bf750f6382cf49d0238e32c128bf489128d04
Instruction ID: 3e29a73caaf2e29e2d8acd1ae114a487005196be0bc1ebb59270d384b97273b0
Opcode Fuzzy Hash: cd22fbec725aee156c16e021021bf750f6382cf49d0238e32c128bf489128d04
Instruction Fuzzy Hash: 22910371900219AFEB04DF95C8A4BFE77B5FF05315F10402BE900E72A1D778A946CBA9

Function 0045948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 944fb01354e0aaa822c6cc881e25c4ea0fb431730f0b050111b99771300e0e6a
Instruction ID: 74a8645b6ca3a0ca72b9aa6377109f8c0fc6ff87eb950cdc2085871ce9f207c8
Opcode Fuzzy Hash: 944fb01354e0aaa822c6cc881e25c4ea0fb431730f0b050111b99771300e0e6a
Instruction Fuzzy Hash: 16912771900219EFCB11CFA9C884AEEBBB8FF49320F14415AE915B7252D378AD56CB64

Function 004C3947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004C396B
CharUpperBuffW.USER32(?,?), ref: 004C3A7A
_wcslen.LIBCMT ref: 004C3A8A
VariantClear.OLEAUT32(?), ref: 004C3C1F

Part of subcall function 004B0CDF: VariantInit.OLEAUT32(00000000), ref: 004B0D1F
Part of subcall function 004B0CDF: VariantCopy.OLEAUT32(?,?), ref: 004B0D28
Part of subcall function 004B0CDF: VariantClear.OLEAUT32(?), ref: 004B0D34

Strings

Incorrect Parameter format, xrefs: 004C39A6, 004C3BA1
AUTOIT.ERROR, xrefs: 004C3A80, 004C3A85

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: dcb787bf536ab1b0c03cb0edac8864d8eb9d8c3a5512c244d467ef2648999679
Instruction ID: f81e04b5ae747fc4d50f04f812d9c8d912e0cfc5c3ea3939cfe3068846855698
Opcode Fuzzy Hash: dcb787bf536ab1b0c03cb0edac8864d8eb9d8c3a5512c244d467ef2648999679
Instruction Fuzzy Hash: CF917C796083019FC740DF25C48096AB7E4FF88319F14896EF88997352DB39EE05CB96

Function 004C4BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 004A000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?,?,004A035E), ref: 004A002B
Part of subcall function 004A000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0046
Part of subcall function 004A000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0054
Part of subcall function 004A000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?), ref: 004A0064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 004C4C51
_wcslen.LIBCMT ref: 004C4D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 004C4DCF
CoTaskMemFree.OLE32(?), ref: 004C4DDA

Strings

NULL Pointer assignment, xrefs: 004C4E23, 004C4E52

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 43686361d4b16630570906179251e7a2b99c76102b686e5513720fa404d1aa51
Instruction ID: a92ec6f2eeebdb90253cbe6a5a76e55c58ae88e86a68cdb47fd6447623d2d603
Opcode Fuzzy Hash: 43686361d4b16630570906179251e7a2b99c76102b686e5513720fa404d1aa51
Instruction Fuzzy Hash: 61912671D00219AFDF10EFA5D890EEEB7B8BF48304F10856EE915A7251EB389A45CF64

Function 004D20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004D2183
GetMenuItemCount.USER32(00000000), ref: 004D21B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004D21DD
_wcslen.LIBCMT ref: 004D2213
GetMenuItemID.USER32(?,?), ref: 004D224D
GetSubMenu.USER32(?,?), ref: 004D225B

Part of subcall function 004A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A3A57
Part of subcall function 004A3A3D: GetCurrentThreadId.KERNEL32 ref: 004A3A5E
Part of subcall function 004A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A25B3), ref: 004A3A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 004D22E3

Part of subcall function 004AE97B: Sleep.KERNEL32 ref: 004AE9F3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: ebb663bc378662adef2b83613e849a32e0c85ec9d55bd30f1bf1a63d5376bc12
Instruction ID: 1eb29127a43270096bd2fc703890d16d1accd9284dae8117433b47397054ab01
Opcode Fuzzy Hash: ebb663bc378662adef2b83613e849a32e0c85ec9d55bd30f1bf1a63d5376bc12
Instruction Fuzzy Hash: 8E71BF75A00215AFCB00DF65C991AAEB7F1EF58314F1484ABE816EB341D778EE42CB94

Function 004AAEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004AAEF9
GetKeyboardState.USER32(?), ref: 004AAF0E
SetKeyboardState.USER32(?), ref: 004AAF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 004AAF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 004AAFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 004AAFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004AB020

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8b0b43fddfcb29ea99e8846d443d43ebcbaa136794b4c419bdc0ebb2d816c033
Instruction ID: 34b71844aad9456e71622ac18e9120943deb66be0a4762d1956c92165d82f850
Opcode Fuzzy Hash: 8b0b43fddfcb29ea99e8846d443d43ebcbaa136794b4c419bdc0ebb2d816c033
Instruction Fuzzy Hash: 6751D2A16087D53DFB3642348C45BBBBEA99B17304F08848BF1D5455C3C39CA894D799

Function 004AACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 004AAD19
GetKeyboardState.USER32(?), ref: 004AAD2E
SetKeyboardState.USER32(?), ref: 004AAD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 004AADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 004AADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 004AAE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 004AAE38

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 866bf4d70252961e47356eb6ce41eb6091dfb151fa85dc2bf42c92ddca7d7f28
Instruction ID: b1e65f21ce83035a07029bb33c244386b57701b77e56a04236a3f084deb95884
Opcode Fuzzy Hash: 866bf4d70252961e47356eb6ce41eb6091dfb151fa85dc2bf42c92ddca7d7f28
Instruction Fuzzy Hash: 7A51E5A15447D13DFB3382248C85B7BBE995B67304F08848AE1D54A9C2C398ECA8D76A

Function 0047542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00483CD6,?,?,?,?,?,?,?,?,00475BA3,?,?,00483CD6,?,?), ref: 00475470
__fassign.LIBCMT ref: 004754EB
__fassign.LIBCMT ref: 00475506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00483CD6,00000005,00000000,00000000), ref: 0047552C
WriteFile.KERNEL32(?,00483CD6,00000000,00475BA3,00000000,?,?,?,?,?,?,?,?,?,00475BA3,?), ref: 0047554B
WriteFile.KERNEL32(?,?,00000001,00475BA3,00000000,?,?,?,?,?,?,?,?,?,00475BA3,?), ref: 00475584

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 9549547556f51100c2141d25b0a1bdf8d4073b67f4d06855d02487afbecad6a7
Instruction ID: 40baae7a764fe4dd34d6ed3f700e3c6400a4d56e47c0465d07001c66f1f32300
Opcode Fuzzy Hash: 9549547556f51100c2141d25b0a1bdf8d4073b67f4d06855d02487afbecad6a7
Instruction Fuzzy Hash: 7651E6B0900649AFDB10CFA8D885AEEBBF9EF09300F14811FF959E7291D7749A45CB64

Function 004C10B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C307A
Part of subcall function 004C304E: _wcslen.LIBCMT ref: 004C309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004C1112
WSAGetLastError.WSOCK32 ref: 004C1121
WSAGetLastError.WSOCK32 ref: 004C11C9
closesocket.WSOCK32(00000000), ref: 004C11F9

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 4c8cf4fb4acc085cd14a73aad5899841fba0f1a144b370504ba58131a25a8b32
Instruction ID: 47ffa7493e2015f64aa19a83b10b730bdadacdf65b648146cfaff894045f0197
Opcode Fuzzy Hash: 4c8cf4fb4acc085cd14a73aad5899841fba0f1a144b370504ba58131a25a8b32
Instruction Fuzzy Hash: 2B41D535600105AFDB109F14C884FAAB7E9EF46368F18815EFD159B292CB78ED41CBA9

Function 004ACF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004ACF22,?), ref: 004ADDFD

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004ACF22,?), ref: 004ADE16

lstrcmpiW.KERNEL32(?,?), ref: 004ACF45
MoveFileW.KERNEL32(?,?), ref: 004ACF7F
_wcslen.LIBCMT ref: 004AD005
_wcslen.LIBCMT ref: 004AD01B
SHFileOperationW.SHELL32(?), ref: 004AD061

Strings

\*.*, xrefs: 004ACFF3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 5cd05277562859b17dc5cd017436be8e5492e8bbf59e18f1a9adca612e7dda75
Instruction ID: 392ac6026eeb3a22524224528d312c1bc87afe7fc8ef7bf82fcfc7fa6a892a5a
Opcode Fuzzy Hash: 5cd05277562859b17dc5cd017436be8e5492e8bbf59e18f1a9adca612e7dda75
Instruction Fuzzy Hash: B6415871D451195FDF52EBA5C9C1ADEB7B8AF15344F0000EBE505EB141EB38AA44CB54

Function 004D2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004D2E1C
GetWindowLongW.USER32(?,000000F0), ref: 004D2E4F
GetWindowLongW.USER32(?,000000F0), ref: 004D2E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004D2EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 004D2EE0
GetWindowLongW.USER32(?,000000F0), ref: 004D2EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D2F0B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 76477104da214ec9165e06b8005597cff0cac5f047b208d206b1b8f997a40c10
Instruction ID: fcfbbe9f3a7f35c7ee366bc3b880ab5396c1a7dc80de23eddae060bdac864776
Opcode Fuzzy Hash: 76477104da214ec9165e06b8005597cff0cac5f047b208d206b1b8f997a40c10
Instruction Fuzzy Hash: D4311530645151AFDB21CF18DDA4FA637E0EBAA711F1441A6FA108F3B1CBB5E844EB09

Function 004A7726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A7769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A778F
SysAllocString.OLEAUT32(00000000), ref: 004A7792
SysAllocString.OLEAUT32(?), ref: 004A77B0
SysFreeString.OLEAUT32(?), ref: 004A77B9
StringFromGUID2.OLE32(?,?,00000028), ref: 004A77DE
SysAllocString.OLEAUT32(?), ref: 004A77EC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d8bb78fb26f7e24e0c0d27d91ecb4d483ae1bfa94ead8a35bcfb813fdb8999d4
Instruction ID: d834d9d838939c2bccd77927589367021da2b976bec31c93e0498fbe242491d2
Opcode Fuzzy Hash: d8bb78fb26f7e24e0c0d27d91ecb4d483ae1bfa94ead8a35bcfb813fdb8999d4
Instruction Fuzzy Hash: 7121C77A605219AFDF10DFA8CC84CBB77ACEB1A3647008127F904DB291D674EC45CB68

Function 004A77FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A7842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 004A7868
SysAllocString.OLEAUT32(00000000), ref: 004A786B
SysAllocString.OLEAUT32 ref: 004A788C
SysFreeString.OLEAUT32 ref: 004A7895
StringFromGUID2.OLE32(?,?,00000028), ref: 004A78AF
SysAllocString.OLEAUT32(?), ref: 004A78BD

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 02bcf56f4b2eb7d39b6aa7e29221aea707f963fce583c15d1da9a08ab449c4be
Instruction ID: 58574808da0cbfdf40cb8d4d9d1eaa02c9caff67c5b7afd5d902c739162ff6cc
Opcode Fuzzy Hash: 02bcf56f4b2eb7d39b6aa7e29221aea707f963fce583c15d1da9a08ab449c4be
Instruction Fuzzy Hash: CE21A431609105AFDB20AFA8DC88DAB77ECEF19360710813AF915CB2A5D67CDC45CB68

Function 004B04D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 004B04F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B052E

Strings

nul, xrefs: 004B0567

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 74793bd0e7fb4925b538dfb35c6147ccbabbd2f7963e5a89d4c8a572857888ab
Instruction ID: 94b8e1d95637bcbf618ee58becd51ff788a14973bbe5ec2d16f6b1caa4af6b28
Opcode Fuzzy Hash: 74793bd0e7fb4925b538dfb35c6147ccbabbd2f7963e5a89d4c8a572857888ab
Instruction Fuzzy Hash: B7218DB1500306AFDB309F69DC44ADB7BE4AF54725F204A2AF8A1D62E0D7749941CF38

Function 004B05A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 004B05C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 004B0601

Strings

nul, xrefs: 004B0639

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d7a2e380bdf39fe4debcd54329ecb37c7a321aa895f093cc24d09092e63fd003
Instruction ID: b18e9eac55d7f52dcf7a31eba5c66707712f81b450b70839d2619d75c6bc7e60
Opcode Fuzzy Hash: d7a2e380bdf39fe4debcd54329ecb37c7a321aa895f093cc24d09092e63fd003
Instruction Fuzzy Hash: 3D217F75500306ABDB209F698C44ADB77E4BF95725F200B1AECA1E72E0D7749861CB28

Function 004D40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0044600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044604C
Part of subcall function 0044600E: GetStockObject.GDI32(00000011), ref: 00446060
Part of subcall function 0044600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0044606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 004D4112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 004D411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 004D412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 004D4139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 004D4145

Strings

Msctls_Progress32, xrefs: 004D40E3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 7c2b11f17bca165079468c48876145974ef0b443ba41a51deda4c95b43183e3c
Instruction ID: f69f012502aa063981a989bb5269bf26ec50392998d2356d6141488d885c4c8e
Opcode Fuzzy Hash: 7c2b11f17bca165079468c48876145974ef0b443ba41a51deda4c95b43183e3c
Instruction Fuzzy Hash: 121193B1150119BFEF118F64CC85EEB7F6DEF09798F014112B718A2190C6769C21DBA8

Function 0047D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0047D7A3: _free.LIBCMT ref: 0047D7CC

_free.LIBCMT ref: 0047D82D

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047D838
_free.LIBCMT ref: 0047D843
_free.LIBCMT ref: 0047D897
_free.LIBCMT ref: 0047D8A2
_free.LIBCMT ref: 0047D8AD
_free.LIBCMT ref: 0047D8B8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 804389c3e41c50e3092ec096abba039725b34e916578a4ab36863824884e7bd9
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: D51181F1A50B04AAD531BFB2CC07FCBBBEC6F40704F44882EB29DA6092DA6CB5494654

Function 004ADA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 004ADA74
LoadStringW.USER32(00000000), ref: 004ADA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004ADA91
LoadStringW.USER32(00000000), ref: 004ADA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 004ADADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 004ADAB9

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 90f324e552b8d78d3f5ff097c4d5291a76096da663af796a468f67d47592e2d4
Instruction ID: 8c8b13b5b8a3f2233f283526b221920a1c95ab5d42170351b8643db1df47f13f
Opcode Fuzzy Hash: 90f324e552b8d78d3f5ff097c4d5291a76096da663af796a468f67d47592e2d4
Instruction Fuzzy Hash: B80162F29002197FEB109BA09DC9EEB376CE709701F4045A7B706E2041EA749E848F78

Function 004B096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00D7F0B0,00D7F0B0), ref: 004B097B
EnterCriticalSection.KERNEL32(00D7F090,00000000), ref: 004B098D
TerminateThread.KERNEL32(?,000001F6), ref: 004B099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 004B09A9
CloseHandle.KERNEL32(?), ref: 004B09B8
InterlockedExchange.KERNEL32(00D7F0B0,000001F6), ref: 004B09C8
LeaveCriticalSection.KERNEL32(00D7F090), ref: 004B09CF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6c44b8b2652ed3c52ba62c1e75537857bdc89360587007c152d5d510ed2f846a
Instruction ID: 9f7172ae23fb9d0db2e95bf315e97fd0ea21d285f82abf9bc9784e8e49704f22
Opcode Fuzzy Hash: 6c44b8b2652ed3c52ba62c1e75537857bdc89360587007c152d5d510ed2f846a
Instruction Fuzzy Hash: E5F01D71483513ABD7515B94EEC8BD67B25BF01702F401126F101908A0C7749465CFA8

Function 004C1C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 004C1DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 004C1DE1
WSAGetLastError.WSOCK32 ref: 004C1DF2
htons.WSOCK32(?,?,?,?,?), ref: 004C1EDB
inet_ntoa.WSOCK32(?), ref: 004C1E8C

Part of subcall function 004A39E8: _strlen.LIBCMT ref: 004A39F2

Part of subcall function 004C3224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,004BEC0C), ref: 004C3240

_strlen.LIBCMT ref: 004C1F35

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 7edf8fd146871df9098ca9412940d94e0dcb8719d1b9720fc5b73da497fc36a1
Instruction ID: 6a0fa14d9d8498348cdba801ed78d82152eac6f8a8bebc09dbbc4505b345ef81
Opcode Fuzzy Hash: 7edf8fd146871df9098ca9412940d94e0dcb8719d1b9720fc5b73da497fc36a1
Instruction Fuzzy Hash: F2B1CE38204300AFD324EF25C885F2A77A5AF86318F54854EF4565B3A3DB39ED46CB96

Function 00445D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00445D30
GetWindowRect.USER32(?,?), ref: 00445D71
ScreenToClient.USER32(?,?), ref: 00445D99
GetClientRect.USER32(?,?), ref: 00445ED7
GetWindowRect.USER32(?,?), ref: 00445EF8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 62542fb794da41b2ab9ccbd2637820f96d8aeb583f37f453c478466c5bc1f646
Instruction ID: 72480a2ec9acf83b844885cf84cbf01574e8bbcb00171fe7afb2dfbd4f94d667
Opcode Fuzzy Hash: 62542fb794da41b2ab9ccbd2637820f96d8aeb583f37f453c478466c5bc1f646
Instruction Fuzzy Hash: 30B16A78A0064ADBDF10DFA9C4806EEB7F1FF54310F14881AE8A9D7250D738AA51DB59

Function 004701B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004700BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004700D6
__allrem.LIBCMT ref: 004700ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0047010B
__allrem.LIBCMT ref: 00470122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00470140

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: 8a8774b65479ff81f8b32aeb959697c4ecd07da5f41e5d7322bf7996e4bbdb77
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 62811471A01706DBE724AA29DC41BAB73E8EF41328F24852FF554D7381E7B9D9008B99

Function 004761FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004682D9,004682D9,?,?,?,0047644F,00000001,00000001,8BE85006), ref: 00476258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0047644F,00000001,00000001,8BE85006,?,?,?), ref: 004762DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004763D8
__freea.LIBCMT ref: 004763E5

Part of subcall function 00473820: RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

__freea.LIBCMT ref: 004763EE
__freea.LIBCMT ref: 00476413

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 3b74c31726adfd5b9e2d7e5b9a8c70b5125f019879bf5c2e6354832ed129786b
Instruction ID: 20addcb45620c3d18e578df516695351e0960e7c310a6fd9a0780419a31d9ded
Opcode Fuzzy Hash: 3b74c31726adfd5b9e2d7e5b9a8c70b5125f019879bf5c2e6354832ed129786b
Instruction Fuzzy Hash: DE510672600616ABDB259F74CC81EEF77AAEF44714F16862AFC09D6241DB38DC44C768

Function 004CBBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CBCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CBD25
RegCloseKey.ADVAPI32(00000000), ref: 004CBD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 004CBD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 004CBDF3
RegCloseKey.ADVAPI32(?), ref: 004CBDFF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 3b83bae665eb9a5d472153ba608e0f29126ab891f0d5e4381712ecaf7fc615fb
Instruction ID: 869207f936dda75d7b6bc8b350bcfa863f4f331a00f0e5929e38f6971bbf575f
Opcode Fuzzy Hash: 3b83bae665eb9a5d472153ba608e0f29126ab891f0d5e4381712ecaf7fc615fb
Instruction Fuzzy Hash: 4281A174208241AFD754DF24C886E2BBBE5FF84308F14895EF45A4B2A2DB35ED05CB96

Function 0049F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0049F7B9
SysAllocString.OLEAUT32(00000001), ref: 0049F860
VariantCopy.OLEAUT32(0049FA64,00000000), ref: 0049F889
VariantClear.OLEAUT32(0049FA64), ref: 0049F8AD
VariantCopy.OLEAUT32(0049FA64,00000000), ref: 0049F8B1
VariantClear.OLEAUT32(?), ref: 0049F8BB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: f037b728decf34ba4bdff9310879a2df0bb7c65dfd1a0af1855e75be9c62c669
Instruction ID: 0e96e7a2286b37358978302b7170fa36509b667e24c9d413439ee043a2ecaa37
Opcode Fuzzy Hash: f037b728decf34ba4bdff9310879a2df0bb7c65dfd1a0af1855e75be9c62c669
Instruction Fuzzy Hash: 4B51E571500310BADF10AB66D895B69BBA4EF45314B24847BE806DF292DB78CC49C7AF

Function 004B910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 004B94E5
_wcslen.LIBCMT ref: 004B9506
_wcslen.LIBCMT ref: 004B952D
GetSaveFileNameW.COMDLG32(00000058), ref: 004B9585

Strings

X, xrefs: 004B9412

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: fcc63b38ae98e03fe8cf02b9625becf74ae7fb4c4933e1927453c64a00b548c1
Instruction ID: fc33dbc26a5e39ec74f57721e8582fc996a6fcaa2d91cacdcaf4c9ab1452db09
Opcode Fuzzy Hash: fcc63b38ae98e03fe8cf02b9625becf74ae7fb4c4933e1927453c64a00b548c1
Instruction Fuzzy Hash: D8E194315083409FD724DF25C481A9BB7E0BF85318F14896EF9899B3A2DB35DD05CBA6

Function 0045920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

BeginPaint.USER32(?,?,?), ref: 00459241
GetWindowRect.USER32(?,?), ref: 004592A5
ScreenToClient.USER32(?,?), ref: 004592C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 004592D3
EndPaint.USER32(?,?,?,?,?), ref: 00459321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004971EA

Part of subcall function 00459339: BeginPath.GDI32(00000000), ref: 00459357

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 875fdfe8782e825b356bc2f9690063502b30fb2f741a747fc86d6d20401cdbab
Instruction ID: dd045b17d98a7e904e7a1406f694cfd32e55d5ef9c8618be4c25c069dd5f42f4
Opcode Fuzzy Hash: 875fdfe8782e825b356bc2f9690063502b30fb2f741a747fc86d6d20401cdbab
Instruction Fuzzy Hash: 7241B030105301EFDB10DF25CC85FBA7BA8EB59325F04066AFE64872A2C7349C49DB6A

Function 004B07EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004B080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 004B0847
EnterCriticalSection.KERNEL32(?), ref: 004B0863
LeaveCriticalSection.KERNEL32(?), ref: 004B08DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 004B08F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 004B0921

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: a42afa354e459593c21e9237d915a415d00205642400261d9d31c6e8e14f2dc4
Instruction ID: 7d505282309eacf58b106f1ba9a3a871465df72214dac83a2fcf77a7d95f5d5b
Opcode Fuzzy Hash: a42afa354e459593c21e9237d915a415d00205642400261d9d31c6e8e14f2dc4
Instruction Fuzzy Hash: A4416871900205EBDF14AF55DC85AAB77B8FF04305F1440AAED00AA297DB34DE68DBA8

Function 004D81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0049F3AB,00000000,?,?,00000000,?,0049682C,00000004,00000000,00000000), ref: 004D824C
EnableWindow.USER32(?,00000000), ref: 004D8272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 004D82D1
ShowWindow.USER32(?,00000004), ref: 004D82E5
EnableWindow.USER32(?,00000001), ref: 004D830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 004D832F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 6065a3ac7a61e88a810fd0874feb2e188f982ca7bd7243f69f370d6868508921
Instruction ID: 4dda4ff9f4f532e93b2cd8fab35a0e9d0f6a0309a71f9e075957fbe254f11ff0
Opcode Fuzzy Hash: 6065a3ac7a61e88a810fd0874feb2e188f982ca7bd7243f69f370d6868508921
Instruction Fuzzy Hash: E0417134601645AFDB11CF25CCA5BF57BE0BB0A715F1842EFEA184B362CB36A845CB58

Function 004A4C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004A4C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 004A4CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 004A4CEA
_wcslen.LIBCMT ref: 004A4D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 004A4D10
_wcsstr.LIBVCRUNTIME ref: 004A4D1A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 616122ca7c2ff7517f5e56703de08824b3c6c55c9caac7007e75c8978d3c64d7
Instruction ID: 32d40bad69c6ad71967304679c1cf19ddec969ec7f7944f535f3a84abab70c75
Opcode Fuzzy Hash: 616122ca7c2ff7517f5e56703de08824b3c6c55c9caac7007e75c8978d3c64d7
Instruction Fuzzy Hash: B5210A316051017BEB155B359C49E7F7B9CDFD6750F10403FF805CA192EAA9DC01C265

Function 004B581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00443AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00443A97,?,?,00442E7F,?,?,?,00000000), ref: 00443AC2

_wcslen.LIBCMT ref: 004B587B
CoInitialize.OLE32(00000000), ref: 004B5995
CoCreateInstance.OLE32(004DFCF8,00000000,00000001,004DFB68,?), ref: 004B59AE
CoUninitialize.OLE32 ref: 004B59CC

Strings

.lnk, xrefs: 004B5876, 004B58C1, 004B5985

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 09f44e5ae4eb8db61ebc69197f775f482b1986c5ab27262fc05c29e2fae43e5a
Instruction ID: cf24147f627aa88f744292aa4e359fe15088e3bace29697af8c3078ae3385c9a
Opcode Fuzzy Hash: 09f44e5ae4eb8db61ebc69197f775f482b1986c5ab27262fc05c29e2fae43e5a
Instruction Fuzzy Hash: 74D15471A087019FC714DF25C480A6ABBE1FF89718F14885EF8899B361D739EC45CBA6

Function 004A175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A0FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004A0FCA
Part of subcall function 004A0FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004A0FD6
Part of subcall function 004A0FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004A0FE5
Part of subcall function 004A0FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004A0FEC
Part of subcall function 004A0FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004A1002

GetLengthSid.ADVAPI32(?,00000000,004A1335), ref: 004A17AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004A17BA
HeapAlloc.KERNEL32(00000000), ref: 004A17C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 004A17DA
GetProcessHeap.KERNEL32(00000000,00000000,004A1335), ref: 004A17EE
HeapFree.KERNEL32(00000000), ref: 004A17F5

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 6f9f49de300008e69bd10427186cd14bbfb9e7e3f650dbf31626e63c3995f137
Instruction ID: 976d4ca628bef872555c544b1ca0658c17fffc67f5813a53e7043c9163bdf345
Opcode Fuzzy Hash: 6f9f49de300008e69bd10427186cd14bbfb9e7e3f650dbf31626e63c3995f137
Instruction Fuzzy Hash: A211D035501216FFDB109FA4CC89FAFBBB9EF52355F10402AF481A72A0C739A940CB68

Function 004A14CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004A14FF
OpenProcessToken.ADVAPI32(00000000), ref: 004A1506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004A1515
CloseHandle.KERNEL32(00000004), ref: 004A1520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004A154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 004A1563

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 57eeda094e0d5ebaf6ec80180e767e2ac05c0211d024343bad6c57f6895f2e68
Instruction ID: 15ea8d859d0c465671aa0f3140cdcdf6b188f8fe3dbc65c85503299af5234cbc
Opcode Fuzzy Hash: 57eeda094e0d5ebaf6ec80180e767e2ac05c0211d024343bad6c57f6895f2e68
Instruction Fuzzy Hash: 9B11297250120AABDF128F98DE89BDE7BA9EF49744F044126FA05A21A0C375CE61DB64

Function 00463382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00463379,00462FE5), ref: 00463390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0046339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 004633B7
SetLastError.KERNEL32(00000000,?,00463379,00462FE5), ref: 00463409

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: fb06a87d55c53b046d6a0268f45a083ad291961f753a8ac6511768ed65fbf817
Instruction ID: 5564d2cd645d4ee8fdadce5634438be60f8a9652e17869fc412d8015dc5ec08c
Opcode Fuzzy Hash: fb06a87d55c53b046d6a0268f45a083ad291961f753a8ac6511768ed65fbf817
Instruction Fuzzy Hash: 0C01F532609351BEEA242F75AC8956F2E54DB1677B320032FF811803F1FF195D15A14E

Function 00472D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00475686,00483CD6,?,00000000,?,00475B6A,?,?,?,?,?,0046E6D1,?,00508A48), ref: 00472D78
_free.LIBCMT ref: 00472DAB
_free.LIBCMT ref: 00472DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0046E6D1,?,00508A48,00000010,00444F4A,?,?,00000000,00483CD6), ref: 00472DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0046E6D1,?,00508A48,00000010,00444F4A,?,?,00000000,00483CD6), ref: 00472DEC
_abort.LIBCMT ref: 00472DF2

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 4c3fb8f6a3e3de05c69fb44b1fa74301a19c4bf64b36c201fbf2e573b1092f5c
Instruction ID: 29741c454269a0fc804e15d6f851d3e66cb89a8ab89a42e72dced2cc05025eab
Opcode Fuzzy Hash: 4c3fb8f6a3e3de05c69fb44b1fa74301a19c4bf64b36c201fbf2e573b1092f5c
Instruction Fuzzy Hash: 2AF0493150150037C63227397E06ADF1619AFC2365F24C51FF82C922D2DEAC8841912C

Function 004D8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00459639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00459693
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596A2
Part of subcall function 00459639: BeginPath.GDI32(?), ref: 004596B9
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 004D8A4E
LineTo.GDI32(?,00000003,00000000), ref: 004D8A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 004D8A70
LineTo.GDI32(?,00000000,00000003), ref: 004D8A80
EndPath.GDI32(?), ref: 004D8A90
StrokePath.GDI32(?), ref: 004D8AA0

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 245919cc8688d0b38c734412184057a0c6759b8ef3b73f15e3b89e0c123529c7
Instruction ID: 879d9942a8ef9d6acfb98ed3872ea6ea06db535d15b9b0469ff273e25553ce45
Opcode Fuzzy Hash: 245919cc8688d0b38c734412184057a0c6759b8ef3b73f15e3b89e0c123529c7
Instruction Fuzzy Hash: 0411177600114DFFEF129F90DC88EEA7F6CEB08354F008066BA199A2A1C7719D55DFA4

Function 004A51FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004A5218
GetDeviceCaps.GDI32(00000000,00000058), ref: 004A5229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004A5230
ReleaseDC.USER32(00000000,00000000), ref: 004A5238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 004A524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 004A5261

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: fdf42a5185e83e33acf756eea995a0baed75cda116181788e125eec15ab0aab5
Instruction ID: 843fc4c000778595a95891ad08ca1764b7578ec82991bca07192dea46f208f45
Opcode Fuzzy Hash: fdf42a5185e83e33acf756eea995a0baed75cda116181788e125eec15ab0aab5
Instruction Fuzzy Hash: DC018F75A01719BBEF109BA69C89B4EBFB8EF48351F044076FA04A7280D6709800CFA4

Function 00441BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00441BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00441BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00441C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00441C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00441C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00441C22

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: c83abf816e19fbe678a3d153e99f99e7b88ef4ebd3da3a05734020392ece87c1
Instruction ID: 2fc67f94d43fd28da8e938f7441fca47cbb14ae0c51f724563d231210af2015c
Opcode Fuzzy Hash: c83abf816e19fbe678a3d153e99f99e7b88ef4ebd3da3a05734020392ece87c1
Instruction Fuzzy Hash: 160167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 004AEB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004AEB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 004AEB46
GetWindowThreadProcessId.USER32(?,?), ref: 004AEB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AEB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AEB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 004AEB75

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 77412e03bd695e857d9913174056e9f9331512be6b286cd82ff738a9786ecf35
Instruction ID: 7054845605fcb9c4d7f14d4bd4a228761581e58e61b844e4f67e71ce4ff4a0e9
Opcode Fuzzy Hash: 77412e03bd695e857d9913174056e9f9331512be6b286cd82ff738a9786ecf35
Instruction Fuzzy Hash: 79F05472142169BBEB215B529C4DEEF7F7CEFCBB11F00016AF611D1191DBA05A01CAB9

Function 00497439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00497452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00497469
GetWindowDC.USER32(?), ref: 00497475
GetPixel.GDI32(00000000,?,?), ref: 00497484
ReleaseDC.USER32(?,00000000), ref: 00497496
GetSysColor.USER32(00000005), ref: 004974B0

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: f0dd28f1dea1d8d4c387c3e1d8b667d78e567d94ab241d668091df8176e53693
Instruction ID: f04e4643b0f4c4b5e92895c49a5107594a6ef7fdfe19b53a95548838e2490c6c
Opcode Fuzzy Hash: f0dd28f1dea1d8d4c387c3e1d8b667d78e567d94ab241d668091df8176e53693
Instruction Fuzzy Hash: 8E018B31405216FFDB105FA4DC48BAE7FB5FB04311F100172F916A21A1CB311E42EB59

Function 004A1874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 004A187F
UnloadUserProfile.USERENV(?,?), ref: 004A188B
CloseHandle.KERNEL32(?), ref: 004A1894
CloseHandle.KERNEL32(?), ref: 004A189C
GetProcessHeap.KERNEL32(00000000,?), ref: 004A18A5
HeapFree.KERNEL32(00000000), ref: 004A18AC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a5845da449ff2005859ee37426824915d896e0d9511d9cc719c3049bca7ad70b
Instruction ID: 3d53e895ff4190afc8237d2857e3676783268a3ab1009ebf35200e3d3ccb2326
Opcode Fuzzy Hash: a5845da449ff2005859ee37426824915d896e0d9511d9cc719c3049bca7ad70b
Instruction Fuzzy Hash: EBE0E536085112FBDB016FA1ED4C90ABF39FF49B22B108232F225810B0CB329420DF58

Function 0044BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0044BEB3

Strings

D%Q, xrefs: 0044BE9A
D%Q, xrefs: 0044BCA2
D%Q, xrefs: 0044BDED, 0044BD91, 0044BD1B
D%QD%Q, xrefs: 0044BCA5

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%Q$D%Q$D%Q$D%QD%Q
API String ID: 1385522511-2675459294
Opcode ID: 4fcf8aa9873ddece55a3007e5e5147d209f0f3208898c7caed342ab8f5210622
Instruction ID: 0ba7a8de2bb56d4c2ff83a37bdd18722cfed48367b30cee661fb2c7182108769
Opcode Fuzzy Hash: 4fcf8aa9873ddece55a3007e5e5147d209f0f3208898c7caed342ab8f5210622
Instruction Fuzzy Hash: 3D9128B5A002068FDB18CF59C0D06AABBF2FB58314F24816ED945AB350E735E982DBD4

Function 004C7B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00460242: EnterCriticalSection.KERNEL32(0051070C,00511884,?,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046024D
Part of subcall function 00460242: LeaveCriticalSection.KERNEL32(0051070C,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046028A

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004600A3: __onexit.LIBCMT ref: 004600A9

__Init_thread_footer.LIBCMT ref: 004C7BFB

Part of subcall function 004601F8: EnterCriticalSection.KERNEL32(0051070C,?,?,00458747,00512514), ref: 00460202
Part of subcall function 004601F8: LeaveCriticalSection.KERNEL32(0051070C,?,00458747,00512514), ref: 00460235

Strings

+TI, xrefs: 004C7E2E
G, xrefs: 004C7C7F
5, xrefs: 004C7C78
Variable must be of type 'Object'., xrefs: 004C7C3A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +TI$5$G$Variable must be of type 'Object'.
API String ID: 535116098-2135982235
Opcode ID: 12ef4e4f2fa3659f695f60da5433f734cd258c81434d6b257560096eb060bf71
Instruction ID: d814add8410bfd73be9f32f71b532d404978eff9d7fa82c2419d420fa5cb2141
Opcode Fuzzy Hash: 12ef4e4f2fa3659f695f60da5433f734cd258c81434d6b257560096eb060bf71
Instruction Fuzzy Hash: 2F918E78604209AFCB54EF55D891EAEB7B1BF48304F10805EF8065B392DB39AE45CF59

Function 004AC5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004AC6EE
_wcslen.LIBCMT ref: 004AC735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 004AC79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 004AC7CA

Strings

0, xrefs: 004AC6AF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 0a73aec8e9ad30a0dc68048056ab5e9cfc19469c1d7272fdcea383e263b0fab9
Instruction ID: e9de0057a82d3101d306c3bf0d885291ea8b28e1133229dc707f52b5993a6edf
Opcode Fuzzy Hash: 0a73aec8e9ad30a0dc68048056ab5e9cfc19469c1d7272fdcea383e263b0fab9
Instruction Fuzzy Hash: F751F2756043029BD791DF28C8C5B6B77E4AF6A314F040A2FF991D2291DB68D844CB5E

Function 004CAD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 004CAEA3

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

GetProcessId.KERNEL32(00000000), ref: 004CAF38
CloseHandle.KERNEL32(00000000), ref: 004CAF67

Strings

@, xrefs: 004CAE72
<, xrefs: 004CAE6B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 5358179dec2fbef22ff0c3e8ac386e4ad1d8a9621bd33561bc4b1860475b1fca
Instruction ID: eb3454d2df6e9497d491bec623619317b1cf6e1e54fcbe778e461964d3bec5d4
Opcode Fuzzy Hash: 5358179dec2fbef22ff0c3e8ac386e4ad1d8a9621bd33561bc4b1860475b1fca
Instruction Fuzzy Hash: 45717774A00619DFDB10EF55C484A9EBBF0EF08318F04849EE816AB392C778ED45CB99

Function 004A719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 004A7206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 004A723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 004A724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 004A72CF

Strings

DllGetClassObject, xrefs: 004A7242

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 428432876d29d91d613f319c34e7018e40604d125267dc3a9253c5e804b657b8
Instruction ID: c6391443badf660c9680812f54962052c7dd08a41da0e738279d96f76e949374
Opcode Fuzzy Hash: 428432876d29d91d613f319c34e7018e40604d125267dc3a9253c5e804b657b8
Instruction Fuzzy Hash: 62418E72604204AFDB25CF54CC84B9A7BA9EF55310F1480AFFD059F24AD7B8D945CBA4

Function 004D3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004D3E35
IsMenu.USER32(?), ref: 004D3E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004D3E92
DrawMenuBar.USER32 ref: 004D3EA5

Strings

0, xrefs: 004D3D89

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ddf1027fc23c76eaf2cdb71c26b891b3d3037cab7cf9d36f4f0acf8fb0989682
Instruction ID: 6f42d7d2e0be1b43691b42970ae5d8c4c3969089ee4154642ef558c2161ee4d5
Opcode Fuzzy Hash: ddf1027fc23c76eaf2cdb71c26b891b3d3037cab7cf9d36f4f0acf8fb0989682
Instruction Fuzzy Hash: 40418875A01209EFDB10DF50D894AEABBB9FF48351F04412BE901AB390D338AE44CF55

Function 004A1DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 004A1E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 004A1E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 004A1EA9

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Strings

ListBox, xrefs: 004A1E25
ComboBox, xrefs: 004A1DF0

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: a076267ea52554a7f2f94a711cd0490e3c3b8da85a011819645ede6da5dc5f23
Instruction ID: 8062b52d5b2c8e71e972e48395cd1888bbb04a108106836093ac1577a3ca7879
Opcode Fuzzy Hash: a076267ea52554a7f2f94a711cd0490e3c3b8da85a011819645ede6da5dc5f23
Instruction Fuzzy Hash: 2921F671A00104AAEB14AB65DC86CFFB7B9DF56364F10412FF815A72E1DB3C4D0A9628

Function 004D2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 004D2F8D
LoadLibraryW.KERNEL32(?), ref: 004D2F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 004D2FA9
DestroyWindow.USER32(?), ref: 004D2FB1

Strings

SysAnimate32, xrefs: 004D2F68

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 2e07c8187005f3f5b2dd8b7b8abff6cbb2ca9c14b5ffecc1963abd3e76e293cf
Instruction ID: 69fc5b359d6b0e2a13b62caa9ddc6e2c35d8bf9d31ac1f74028bdf8afb82e4b9
Opcode Fuzzy Hash: 2e07c8187005f3f5b2dd8b7b8abff6cbb2ca9c14b5ffecc1963abd3e76e293cf
Instruction Fuzzy Hash: 3F219D71204205ABEB104F64DD90EBB37B9EB69368F104A2FF950D2390D7B5DC51A768

Function 00464D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00464D1E,004728E9,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002), ref: 00464D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00464DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00464D1E,004728E9,?,00464CBE,004728E9,005088B8,0000000C,00464E15,004728E9,00000002,00000000), ref: 00464DC3

Strings

mscoree.dll, xrefs: 00464D86
CorExitProcess, xrefs: 00464D98

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 42afb1069db028b076edf69e026581dc4d11917a89267236b1ed0d6a6a8006bb
Instruction ID: b5cccaf866178dff355ca40e95ed31c07f5767f49721edb1756690f199d1f851
Opcode Fuzzy Hash: 42afb1069db028b076edf69e026581dc4d11917a89267236b1ed0d6a6a8006bb
Instruction Fuzzy Hash: E6F0C230A01219FBDB109F91DC49BAEBFB8EF44752F0001AAF805A2260DF745D80DF99

Function 00444E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00444EAE
FreeLibrary.KERNEL32(00000000,?,?,00444EDD,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444EC0

Strings

kernel32.dll, xrefs: 00444E94
Wow64DisableWow64FsRedirection, xrefs: 00444EA8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: a52d7c486517354af01fbd597d2dd8e2094850c149b3bb82e714c66a353d95ee
Instruction ID: 39f81a769c156fd04c0515c632d7469be6a33372fb770abbe9968e9c434623e5
Opcode Fuzzy Hash: a52d7c486517354af01fbd597d2dd8e2094850c149b3bb82e714c66a353d95ee
Instruction Fuzzy Hash: 8DE08635A025339BE22117256C5CB5F6758AFC2B637150127FC00D2354DF68CD01C4A8

Function 00444E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00444E74
FreeLibrary.KERNEL32(00000000,?,?,00483CDE,?,00511418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00444E87

Strings

kernel32.dll, xrefs: 00444E5B
Wow64RevertWow64FsRedirection, xrefs: 00444E6E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 97d88044aaa0a9573afed22ef4006c318c2a5e130005890dad4da1b76f5d56f7
Instruction ID: 032ed8dc186aa5f1ede4550bf8e68155a515bc15e5fa9291530e4bd3d326e81d
Opcode Fuzzy Hash: 97d88044aaa0a9573afed22ef4006c318c2a5e130005890dad4da1b76f5d56f7
Instruction Fuzzy Hash: EAD01235503A3357AA221B257C58F8F6B1CAFC6B613150627B905E7255DF68CD01C9DC

Function 004B2947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B2C05
DeleteFileW.KERNEL32(?), ref: 004B2C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 004B2C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B2CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 004B2CC0

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: cc2d33e0a2e22f38d4a198823e032fec77d547de0266a96ae6a25e8024a53af2
Instruction ID: 47793e12897cbf770b1800174fc7eca6335dd580bd72017748ef09ce128b468f
Opcode Fuzzy Hash: cc2d33e0a2e22f38d4a198823e032fec77d547de0266a96ae6a25e8024a53af2
Instruction Fuzzy Hash: E5B17F72D00119ABDF11DFA5CD85EDEBBBDEF08344F0040ABF609E6151EA789A448F69

Function 004CA387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 004CA427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 004CA435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 004CA468
CloseHandle.KERNEL32(?), ref: 004CA63D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a538167c27b50ec615eaa3039d440dcfc0403909b86a0eb752af845ef7d02aab
Instruction ID: 9711f706c4519f47684008f72a35ae953cd2308f277f9d694686834f59889f96
Opcode Fuzzy Hash: a538167c27b50ec615eaa3039d440dcfc0403909b86a0eb752af845ef7d02aab
Instruction Fuzzy Hash: 8CA1B275604300AFE760DF15C886F2AB7E1AF44718F14881EF99A9B3D2D778EC058B86

Function 0047BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,004E3700), ref: 0047BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0051121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0047BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00511270,000000FF,?,0000003F,00000000,?), ref: 0047BC36
_free.LIBCMT ref: 0047BB7F

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047BD4B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 276b51e5f38a2010c25b3fd0b5eb7560db9500ab1718391f505ea7aecc38e0b2
Instruction ID: 36abbe61f609a4e358f630cda4bc591fb37c0ed63ca088b1fb67e8a00552de0a
Opcode Fuzzy Hash: 276b51e5f38a2010c25b3fd0b5eb7560db9500ab1718391f505ea7aecc38e0b2
Instruction Fuzzy Hash: 0051E8719002099FCB10DF668C81AEEB7BCEF41314B10C26FE928D7291DB745D459BD8

Function 004AE3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,004ACF22,?), ref: 004ADDFD

Part of subcall function 004ADDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,004ACF22,?), ref: 004ADE16

Part of subcall function 004AE199: GetFileAttributesW.KERNEL32(?,004ACF95), ref: 004AE19A

lstrcmpiW.KERNEL32(?,?), ref: 004AE473
MoveFileW.KERNEL32(?,?), ref: 004AE4AC
_wcslen.LIBCMT ref: 004AE5EB
_wcslen.LIBCMT ref: 004AE603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 004AE650

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 44ebc582039cb7a23a3d5423174b7aeec60bc2a837f9fe273fd51a337e9983c7
Instruction ID: 897d3cd52eb352a1f64d2834dc765b13a8cde13c1b2585ad773e1d4c0173963b
Opcode Fuzzy Hash: 44ebc582039cb7a23a3d5423174b7aeec60bc2a837f9fe273fd51a337e9983c7
Instruction Fuzzy Hash: 6F51A2B24083455BD724EBA1DC819DBB3DCAFA5344F00092FF699C3151EF78A588876E

Function 004CB9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004CC998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,004CB6AE,?,?), ref: 004CC9B5
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CC9F1
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA68
Part of subcall function 004CC998: _wcslen.LIBCMT ref: 004CCA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004CBAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004CBB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 004CBB63
RegCloseKey.ADVAPI32(?,?), ref: 004CBBA6
RegCloseKey.ADVAPI32(00000000), ref: 004CBBB3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: f2bdf343f6aff28bacf839fec2df76dde15904531ce6549f1f9d39a148a0c530
Instruction ID: 2afbe340d09e01684d77cfad7e2fbd045d5f549aaa1c595d5eccc796e0c765a0
Opcode Fuzzy Hash: f2bdf343f6aff28bacf839fec2df76dde15904531ce6549f1f9d39a148a0c530
Instruction Fuzzy Hash: C7618B35208241AFD714DF14C891F2ABBE5FF84308F14896EF4998B2A2DB35ED45CB96

Function 004A8BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004A8BCD
VariantClear.OLEAUT32 ref: 004A8C3E
VariantClear.OLEAUT32 ref: 004A8C9D
VariantClear.OLEAUT32(?), ref: 004A8D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 004A8D3B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 4b3301414afd89d13dbc46a0a1a8a68ad9608bcba00535aba5b94d5622e6f6b0
Instruction ID: 6928d5b730bd665ad8bd0613602d672ec2b6ef88de7596e7fb3fa46fdc0f1855
Opcode Fuzzy Hash: 4b3301414afd89d13dbc46a0a1a8a68ad9608bcba00535aba5b94d5622e6f6b0
Instruction Fuzzy Hash: 8E518AB1A00219EFDB10CF28C884AAAB7F8FF99310B15856AE905DB350E734E911CF94

Function 004B8AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 004B8BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 004B8BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 004B8C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 004B8C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 004B8C5F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 5fa65475983a4cf68d719465e64b6dc4caf29432756e15bc83eb8fc617fd9d84
Instruction ID: 8dbb53c6182c20db45c80b15fb1031720733e16cb25c61f476f20f602aa80a4c
Opcode Fuzzy Hash: 5fa65475983a4cf68d719465e64b6dc4caf29432756e15bc83eb8fc617fd9d84
Instruction Fuzzy Hash: DF516135A00215AFDB00DF65C881A6EBBF5FF49318F08845DE8496B362CB35ED51CB94

Function 004C8EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 004C8F40
GetProcAddress.KERNEL32(00000000,?), ref: 004C8FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 004C8FEC
GetProcAddress.KERNEL32(00000000,?), ref: 004C9032
FreeLibrary.KERNEL32(00000000), ref: 004C9052

Part of subcall function 0045F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,004B1043,?,75C0E610), ref: 0045F6E6
Part of subcall function 0045F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0049FA64,00000000,00000000,?,?,004B1043,?,75C0E610,?,0049FA64), ref: 0045F70D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 3e635d17b80f301c26e3086e5f97fdd57325e570f749e3872301964087f66f78
Instruction ID: b9db350ff910227d584071d7a27b4d34cca7c0eba4d41b9d86996a4a5a08e6c3
Opcode Fuzzy Hash: 3e635d17b80f301c26e3086e5f97fdd57325e570f749e3872301964087f66f78
Instruction Fuzzy Hash: D2514B38601205EFD741DF59C484DAEBBB1FF49318B0480AEE8099B362DB35ED86CB95

Function 004D6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 004D6C33
SetWindowLongW.USER32(?,000000EC,?), ref: 004D6C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 004D6C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,004BAB79,00000000,00000000), ref: 004D6C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 004D6CC7

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: c3c6eac817658d178012c59fad58d5ae7f1b4e2f0c9b93d1b63600e06711c036
Instruction ID: beb019e79bc939d542b93bc3b5d33c18c21f86c39bef2c7b1235e94fb8b6d264
Opcode Fuzzy Hash: c3c6eac817658d178012c59fad58d5ae7f1b4e2f0c9b93d1b63600e06711c036
Instruction Fuzzy Hash: C7410635610114AFDB24CF28CCA8FAA7BA5EB09750F16026BF995A73E0C375ED41DA48

Function 00472051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004720C3
_free.LIBCMT ref: 004720E3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d3648ba8661c965503b7f69203103bdb6253d96812a4df49946af4c3f8243354
Instruction ID: 858002681308a3c299a26272eef0e5f8f03e18d26878b291f943175413e649a6
Opcode Fuzzy Hash: d3648ba8661c965503b7f69203103bdb6253d96812a4df49946af4c3f8243354
Instruction Fuzzy Hash: C9410772A002009FCB20DF79C981A9EB7F1FF85314F15816AE609EB351D675AD05C795

Function 0045912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00459141
ScreenToClient.USER32(00000000,?), ref: 0045915E
GetAsyncKeyState.USER32(00000001), ref: 00459183
GetAsyncKeyState.USER32(00000002), ref: 0045919D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 7f68a62a2e30f354b5f290b99303e9bf316ed89dbfebe0a8be89baa33754da34
Instruction ID: 45d1c7f9555b6bb2a9b00fa1ecb847902e0fb70681f8f061b8de6ede00ba29b5
Opcode Fuzzy Hash: 7f68a62a2e30f354b5f290b99303e9bf316ed89dbfebe0a8be89baa33754da34
Instruction Fuzzy Hash: 9A416E3190861BFBDF059F64C844BEEBB74FB05325F20822BE825A2391C7385D54CB59

Function 004B3874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 004B38CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 004B3922
TranslateMessage.USER32(?), ref: 004B394B
DispatchMessageW.USER32(?), ref: 004B3955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004B3966

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: d20046e7ee86fbbb63a3752f52df6fe807b1c37c4ed4b7c465be641261e34aea
Instruction ID: 2b84c158a0598ce82062e6dcaef4fbbec360e06a0c1dd47e41d238d7c0f57a14
Opcode Fuzzy Hash: d20046e7ee86fbbb63a3752f52df6fe807b1c37c4ed4b7c465be641261e34aea
Instruction Fuzzy Hash: 4931BDB0504742AEEF35CF369848BF737E49B15305F04456FD562C22A0E7B8A689DB39

Function 004BCF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,004BC21E,00000000), ref: 004BCF38
InternetReadFile.WININET(?,00000000,?,?), ref: 004BCF6F
GetLastError.KERNEL32(?,00000000,?,?,?,004BC21E,00000000), ref: 004BCFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,004BC21E,00000000), ref: 004BCFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,004BC21E,00000000), ref: 004BCFF2

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 82062068508b0d5521f1c4015acd1682875418e214ed60ad15fb1351909dbfa1
Instruction ID: 21ead6be47b2dd18e2fea094691d226204665ab19b482cc22d234b4c166bb2f4
Opcode Fuzzy Hash: 82062068508b0d5521f1c4015acd1682875418e214ed60ad15fb1351909dbfa1
Instruction Fuzzy Hash: 67314D71A00206AFDB20DFA5C8C49BBBBFAEB14355B1044AFF506D2281D738AD45DB68

Function 004A1901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004A1915
PostMessageW.USER32(00000001,00000201,00000001), ref: 004A19C1
Sleep.KERNEL32(00000000,?,?,?), ref: 004A19C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 004A19DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 004A19E2

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5fc6d21c18e30290d7cfeb94d6cafe41987ffbbba381dce5d061e2c710e5bf30
Instruction ID: e95b92b144b017121951110cdc9aa9aa7428a3a27df9a4c4f5f14f9b4e859331
Opcode Fuzzy Hash: 5fc6d21c18e30290d7cfeb94d6cafe41987ffbbba381dce5d061e2c710e5bf30
Instruction Fuzzy Hash: 1031C2B1900219EFCB00CFA8CD99ADF3BB9EB15315F10422AF921AB2E1C7749954CB94

Function 004D5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 004D5745
SendMessageW.USER32(?,00001074,?,00000001), ref: 004D579D
_wcslen.LIBCMT ref: 004D57AF
_wcslen.LIBCMT ref: 004D57BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D5816

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: ee75dc562211cbd6a355595cb3664f73768dc73572e02ab2cc90eae4c8deb618
Instruction ID: 58cf9e6dc0495556f3c8e2c04c24169b0ba0f34aab9745ee4d30e30f7155c49d
Opcode Fuzzy Hash: ee75dc562211cbd6a355595cb3664f73768dc73572e02ab2cc90eae4c8deb618
Instruction Fuzzy Hash: 6F21A771904618DADB20DF64CC94AEE77B8FF05324F10815BF919DA380DB748985CF59

Function 004C0930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 004C0951
GetForegroundWindow.USER32 ref: 004C0968
GetDC.USER32(00000000), ref: 004C09A4
GetPixel.GDI32(00000000,?,00000003), ref: 004C09B0
ReleaseDC.USER32(00000000,00000003), ref: 004C09E8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f111ac8955c0b07280508b4195262271887ac254f883208041b0bef1da7a9c55
Instruction ID: e21860a37239595613a8fd74549e2308db0496ef641bf6ec70afca60ad345206
Opcode Fuzzy Hash: f111ac8955c0b07280508b4195262271887ac254f883208041b0bef1da7a9c55
Instruction Fuzzy Hash: 3B215E75600214AFD744EF65C984AAEBBE5EF44744F04846EE84A97362CA34EC04CB94

Function 0047CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0047CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0047CDE9

Part of subcall function 00473820: RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0047CE0F
_free.LIBCMT ref: 0047CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0047CE31

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 29ac7683cbbf886fcc471cb1927c73d65fde28721c0c1d4d6cbe04cfdbc91d6a
Instruction ID: 7ec8fcaa3ff830aec889c0649b52ebb2e5422a3d7949cb89c80289662a25ad5c
Opcode Fuzzy Hash: 29ac7683cbbf886fcc471cb1927c73d65fde28721c0c1d4d6cbe04cfdbc91d6a
Instruction Fuzzy Hash: C501D8726026157F272116B66CC8CBF6A6DDFC6BA1315812FFD09C7200DA688D0281B9

Function 00459639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00459693
SelectObject.GDI32(?,00000000), ref: 004596A2
BeginPath.GDI32(?), ref: 004596B9
SelectObject.GDI32(?,00000000), ref: 004596E2

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: db7da3f69bc1959f95ef1732383d6e5ccfb89d8b5cd4f6c8944f5b726d7bc670
Instruction ID: eda12c50c749bd8939734da0ce962ed544f2cae061badbff61760bded230865c
Opcode Fuzzy Hash: db7da3f69bc1959f95ef1732383d6e5ccfb89d8b5cd4f6c8944f5b726d7bc670
Instruction Fuzzy Hash: C2217130802706EBDB119F64DC557EE7BA5BB20316F108267F920961A1D3785C5DDF9C

Function 004A5711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 004A5726
_memcmp.LIBVCRUNTIME ref: 004A5744
_memcmp.LIBVCRUNTIME ref: 004A5757
_memcmp.LIBVCRUNTIME ref: 004A576F
_memcmp.LIBVCRUNTIME ref: 004A5787

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a61a087a6a27566e95125a28a4182acb567a162141928541f6f5d2c5310c1195
Instruction ID: b7a427bcda0dbcb53ba0bfce7455c1b2e2b7b28630cf46cd425e426177da6559
Opcode Fuzzy Hash: a61a087a6a27566e95125a28a4182acb567a162141928541f6f5d2c5310c1195
Instruction Fuzzy Hash: 29012669240A04BAA21851118E42FFB234C9B323A8F144037FD06AAB41F72CED1082AE

Function 00472DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0046F2DE,00473863,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6), ref: 00472DFD
_free.LIBCMT ref: 00472E32
_free.LIBCMT ref: 00472E59
SetLastError.KERNEL32(00000000,00441129), ref: 00472E66
SetLastError.KERNEL32(00000000,00441129), ref: 00472E6F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 066785fde3bf32191ae901c1cfb110fcf6be25e9c168a5fab35c8a94b2316742
Instruction ID: b342478b09e43f567c51bdbfc38e7e1297f4a91df7d4f2e52f57303b5e7675b9
Opcode Fuzzy Hash: 066785fde3bf32191ae901c1cfb110fcf6be25e9c168a5fab35c8a94b2316742
Instruction Fuzzy Hash: C301497224160077C61227352E85DEB265DABD5379B24C02FF82CA22D3EFEC8C45902C

Function 004A000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?,?,004A035E), ref: 004A002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?), ref: 004A0064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0049FF41,80070057,?,?), ref: 004A0070

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b9c9f500950010a91fe6d594c0c2f5f90f5879d5c344827024e6bdd039663625
Instruction ID: efd20aa6bc9e0810138c0ee0a2149bbbdd4274dd76a7d21996da54bdd8fc54eb
Opcode Fuzzy Hash: b9c9f500950010a91fe6d594c0c2f5f90f5879d5c344827024e6bdd039663625
Instruction Fuzzy Hash: 7B01DBB2605205BFDB105F68EC84FAB7BAEEB58392F104126F901E2210E778CD00DBA4

Function 004AE97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 004AE997
QueryPerformanceFrequency.KERNEL32(?), ref: 004AE9A5
Sleep.KERNEL32(00000000), ref: 004AE9AD
QueryPerformanceCounter.KERNEL32(?), ref: 004AE9B7
Sleep.KERNEL32 ref: 004AE9F3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 584b643211502e390f196720e310656b75c3d934fa5640b710901e50938d473c
Instruction ID: 125b6d0e9ef8b1d171f45e30b7e483f02d2f84bb112c9b59db4f9e4e3f76545d
Opcode Fuzzy Hash: 584b643211502e390f196720e310656b75c3d934fa5640b710901e50938d473c
Instruction Fuzzy Hash: BC015E71C01629DBCF009BE6D9896DEBB78BB1A300F000557D512B2280CB345551CB69

Function 004A10F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 004A1114
GetLastError.KERNEL32(?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,004A0B9B,?,?,?), ref: 004A1136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 004A114D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: fc5cf63baaca712a6dfe296e855a2187a71c0bc410376cb878e1567ef223327b
Instruction ID: 0ff613c46cd3df26d405c9579ac427b82874471ef4583c0c23bb494a8868b0aa
Opcode Fuzzy Hash: fc5cf63baaca712a6dfe296e855a2187a71c0bc410376cb878e1567ef223327b
Instruction Fuzzy Hash: F2011975201216BFDB114FA5DC89A6B3B6EEF8A3A4B20442AFA45D7360DA31DC00DA64

Function 004A0FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004A0FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004A0FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004A0FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004A0FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004A1002

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: dbbda175da9d84a8dbc0919b6d61714fcd7f271c6d8e7ef800e71b756c675628
Instruction ID: e17e0d8f00677d79dd1b8e87eb12ecb418ddba6be4004071de9844e1e3ab2597
Opcode Fuzzy Hash: dbbda175da9d84a8dbc0919b6d61714fcd7f271c6d8e7ef800e71b756c675628
Instruction Fuzzy Hash: BAF06D35241312EBEB214FA4DC8DF5B3BADEF8A762F114426FA45D72A1CA74DC40CA64

Function 004A1014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004A102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004A1036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004A104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1062

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f64ae0021afd97782f982999f3a48da71119908e0025155f8a14d70a9d3ba384
Instruction ID: 716b2252bca9087fce3a3c4f14a2d310f9ab97b96bada927df80d192b5a3b4ce
Opcode Fuzzy Hash: f64ae0021afd97782f982999f3a48da71119908e0025155f8a14d70a9d3ba384
Instruction Fuzzy Hash: 87F06235141312EBDB225FA4EC89F5B3B6DEF8A761F110426F945D72A0CA74D840CA64

Function 004B030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0324
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0331
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B033E
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B034B
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0358
CloseHandle.KERNEL32(?,?,?,?,004B017D,?,004B32FC,?,00000001,00482592,?), ref: 004B0365

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 20c30cb9a9318ccdc111b99c159153f55532dd6cc1f00a8aa142afc9054e1361
Instruction ID: baf1438ff7e6ca38d5065130e5bbdf2e228e9fa6ea546432583a3500faae1d0b
Opcode Fuzzy Hash: 20c30cb9a9318ccdc111b99c159153f55532dd6cc1f00a8aa142afc9054e1361
Instruction Fuzzy Hash: A601EE72800B058FCB30AF66D880843FBF9BF603063049A3FD19252A30C3B4A988CF94

Function 0047D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0047D752

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 0047D764
_free.LIBCMT ref: 0047D776
_free.LIBCMT ref: 0047D788
_free.LIBCMT ref: 0047D79A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 67921b22d40125357a042d4e89d3aa10ebf62758bc86094a8f63ee98ea5db302
Instruction ID: 44cc389e7f607fb351514d9eb1291057d6996fb77180a364c7f48df3a27e2005
Opcode Fuzzy Hash: 67921b22d40125357a042d4e89d3aa10ebf62758bc86094a8f63ee98ea5db302
Instruction Fuzzy Hash: DBF036F251020457C625E765F9C2C9B7BEDBF45310B98880AF14DE7502C728FC84466C

Function 004A5C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004A5C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 004A5C6F
MessageBeep.USER32(00000000), ref: 004A5C87
KillTimer.USER32(?,0000040A), ref: 004A5CA3
EndDialog.USER32(?,00000001), ref: 004A5CBD

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: cb605bda5d0c3a715d9f9488185d3b38c4d871093b29947d7990c341e0fba651
Instruction ID: 698de01f7a73d9c92982753ead982fa21416b4c6b5a005ed421d7865272dfc6a
Opcode Fuzzy Hash: cb605bda5d0c3a715d9f9488185d3b38c4d871093b29947d7990c341e0fba651
Instruction Fuzzy Hash: ED018B305017059BFB205B10DE8EF9677B8FB11705F00166BA543A14E1D7F4A944CA59

Function 004722A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004722BE

Part of subcall function 004729C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000), ref: 004729DE
Part of subcall function 004729C8: GetLastError.KERNEL32(00000000,?,0047D7D1,00000000,00000000,00000000,00000000,?,0047D7F8,00000000,00000007,00000000,?,0047DBF5,00000000,00000000), ref: 004729F0

_free.LIBCMT ref: 004722D0
_free.LIBCMT ref: 004722E3
_free.LIBCMT ref: 004722F4
_free.LIBCMT ref: 00472305

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d2d1ff88a47bc1c6be6c18aa5a8cc5f5dc2d875d045c113f01e2d4bfe309f349
Instruction ID: 93e023ed3bb41a0002f92b686a8870a9c4a9c0d273fabfe16e51a71e4cc346f1
Opcode Fuzzy Hash: d2d1ff88a47bc1c6be6c18aa5a8cc5f5dc2d875d045c113f01e2d4bfe309f349
Instruction Fuzzy Hash: 76F01DF85015108BC612AF65AD028CD7E64BB39750B05D64BF518D22B1C7B904DABAAC

Function 004595C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004595D4
StrokeAndFillPath.GDI32(?,?,004971F7,00000000,?,?,?), ref: 004595F0
SelectObject.GDI32(?,00000000), ref: 00459603
DeleteObject.GDI32 ref: 00459616
StrokePath.GDI32(?), ref: 00459631

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 82a5ca17e007ba1f60cafa17a36cbbd813939461611b12aea9eaee306b157317
Instruction ID: 6e4e42c85efc4352b968b89ac8c70058478555dc6e53e3f4396fbf5ef8f38b2f
Opcode Fuzzy Hash: 82a5ca17e007ba1f60cafa17a36cbbd813939461611b12aea9eaee306b157317
Instruction Fuzzy Hash: 4EF03C31006A09EBDB165F65ED5C7A93B61AB10322F04C266FA25551F1C73489ADEF2C

Function 00470F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 004710F9
__freea.LIBCMT ref: 00471117

Part of subcall function 00471537: _free.LIBCMT ref: 0047154F

Strings

a/p, xrefs: 004711DE
am/pm, xrefs: 0047117A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 8177489804e67560fe78baf08118f817c0114d23f041e5b0c184eb2ab3113ec5
Instruction ID: cc8f07359c9cf1f880bdcdf81cc7a4d9c09c91c6372003f068ea5dbaa13e8003
Opcode Fuzzy Hash: 8177489804e67560fe78baf08118f817c0114d23f041e5b0c184eb2ab3113ec5
Instruction Fuzzy Hash: 3DD1F231900245CAEB249F6CC895BFBB7B4EF05304F28815BE909ABB61D37D9D81CB59

Function 004C61D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00460242: EnterCriticalSection.KERNEL32(0051070C,00511884,?,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046024D
Part of subcall function 00460242: LeaveCriticalSection.KERNEL32(0051070C,?,0045198B,00512518,?,?,?,004412F9,00000000), ref: 0046028A

Part of subcall function 004600A3: __onexit.LIBCMT ref: 004600A9

__Init_thread_footer.LIBCMT ref: 004C6238

Part of subcall function 004601F8: EnterCriticalSection.KERNEL32(0051070C,?,?,00458747,00512514), ref: 00460202
Part of subcall function 004601F8: LeaveCriticalSection.KERNEL32(0051070C,?,00458747,00512514), ref: 00460235

Part of subcall function 004B359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 004B35E4
Part of subcall function 004B359C: LoadStringW.USER32(00512390,?,00000FFF,?), ref: 004B360A

Strings

x#Q, xrefs: 004C6353
x#Q, xrefs: 004C633A
x#Q, xrefs: 004C636F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#Q$x#Q$x#Q
API String ID: 1072379062-530750269
Opcode ID: fbf9348370fbb2904d5f9c8789440eb99d33fb7584c641fdb19d870c3907391c
Instruction ID: 2bb6a7a682444ce94b255ffcfe83778f06d9648d25b0ad46c9e0b4792dd7693f
Opcode Fuzzy Hash: fbf9348370fbb2904d5f9c8789440eb99d33fb7584c641fdb19d870c3907391c
Instruction Fuzzy Hash: 23C19B75A00105AFDB14EF98C890EBEB7B9FF48304F11806EE9059B291DB78ED45CB99

Function 00475AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOD, xrefs: 00475BA8, 00475C6C

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: JOD
API String ID: 0-2216429383
Opcode ID: 6c036bd02561536f8db9f9dad403c58c3cfbc09ad4b2b930c5153fb4c0894f0b
Instruction ID: 855c4581019b82349fb6a31fab86fb240dea39272188df046d2daf10b22c89ed
Opcode Fuzzy Hash: 6c036bd02561536f8db9f9dad403c58c3cfbc09ad4b2b930c5153fb4c0894f0b
Instruction Fuzzy Hash: B351CF71D006099FCB219FA5C945BFFBBB8AF05314F14805BE408AF291D7B99902CB6A

Function 00478A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00478B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00478B7A
__dosmaperr.LIBCMT ref: 00478B81

Strings

.F, xrefs: 00478A63

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .F
API String ID: 2434981716-907655787
Opcode ID: 75a11eb073a95ec5af7e52105cc3c1de6c2de229e2375ee9da0f3d1dc6572e37
Instruction ID: 89f20480cfb91b8fa959483c8b1a0294a35305fb488c2de2e28d9f11ce4b9366
Opcode Fuzzy Hash: 75a11eb073a95ec5af7e52105cc3c1de6c2de229e2375ee9da0f3d1dc6572e37
Instruction Fuzzy Hash: 2F417E70504045AFCB249F25C889AFE7F95DB85304F18C1AFF48D87642DE359C439798

Function 004A2716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004AB403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004A21D0,?,?,00000034,00000800,?,00000034), ref: 004AB42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 004A2760

Part of subcall function 004AB3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004A21FF,?,?,00000800,?,00001073,00000000,?,?), ref: 004AB3F8

Part of subcall function 004AB32A: GetWindowThreadProcessId.USER32(?,?), ref: 004AB355
Part of subcall function 004AB32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,004A2194,00000034,?,?,00001004,00000000,00000000), ref: 004AB365
Part of subcall function 004AB32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,004A2194,00000034,?,?,00001004,00000000,00000000), ref: 004AB37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004A27CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004A281A

Strings

@, xrefs: 004A2832

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: cd2705d4bb827773e05e7b589c3c111ee2177e43870f9f8a6f1a00a4abfba7f2
Instruction ID: 308108c89327fdb953ec663836991787bcc0bda5ca88cc80faa3442a708648ca
Opcode Fuzzy Hash: cd2705d4bb827773e05e7b589c3c111ee2177e43870f9f8a6f1a00a4abfba7f2
Instruction Fuzzy Hash: 2D413D76900218AFDB10DFA4CD81AEEBBB8EF1A304F00405AFA55B7191DB746E45DBA4

Function 0047172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00471769
_free.LIBCMT ref: 00471834
_free.LIBCMT ref: 0047183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00471760, 00471767, 00471796, 004717CE

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-4010620828
Opcode ID: db938c6f41a80ec770ab831fc6d10777a1ecdf8177db0e14a10a474f8b3bee98
Instruction ID: ffddac4f1815a84a41f564336a27954c514de69aa9bc1a332953554b2c5eea52
Opcode Fuzzy Hash: db938c6f41a80ec770ab831fc6d10777a1ecdf8177db0e14a10a474f8b3bee98
Instruction Fuzzy Hash: 6F319575A00218ABDB21DF9A9881DDFBBFCEB95310B1481ABE50897221D6748A44CB99

Function 004AC27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004AC306
DeleteMenu.USER32(?,00000007,00000000), ref: 004AC34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00511990,00D85B38), ref: 004AC395

Strings

0, xrefs: 004AC2DF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: a08065dcaabd5854bb54d7bdf7e962a8ee3012cbe35864bdc95162113c88498b
Instruction ID: bcb5ffec9493530bc2ce7132751c4c935d32c63eae30356223bcce357727110b
Opcode Fuzzy Hash: a08065dcaabd5854bb54d7bdf7e962a8ee3012cbe35864bdc95162113c88498b
Instruction Fuzzy Hash: 1741A071208301AFDB20DF25D884B1BBBE8AF96314F04861EFDA5973D1D778A904CB5A

Function 004D4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,004DCC08,00000000,?,?,?,?), ref: 004D44AA
GetWindowLongW.USER32 ref: 004D44C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D44D7

Strings

SysTreeView32, xrefs: 004D447C

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 3ab8d8d0d253fcc30a2335493130516706df0f0c67a2d2fac1a9188cc2926542
Instruction ID: 829c795f959bfcad38e3dc4dc2013eda93e5db7b3bee69ba2e5a1bc21c63a922
Opcode Fuzzy Hash: 3ab8d8d0d253fcc30a2335493130516706df0f0c67a2d2fac1a9188cc2926542
Instruction Fuzzy Hash: 07317E31210605AFDF208E38DC95BEB77A9EB49328F20472BF975922D0D778EC919754

Function 004A6E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 004A6EED
VariantCopyInd.OLEAUT32(?,?), ref: 004A6F08
VariantClear.OLEAUT32(?), ref: 004A6F12

Strings

*jJ, xrefs: 004A6E8B, 004A6E90, 004A6EF8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jJ
API String ID: 2173805711-3279958407
Opcode ID: 9bcc00c9a3297a963c4cbf7b5008e53aeb1e0818a37f25692058ca662e9f4a21
Instruction ID: 4d4754c35082ee077d59e2f2dffa684f2120e4ed7f44f03dcdce567146c12476
Opcode Fuzzy Hash: 9bcc00c9a3297a963c4cbf7b5008e53aeb1e0818a37f25692058ca662e9f4a21
Instruction Fuzzy Hash: C931D171704205DFDB04AFA5E8909BE77B6EF92308B1504AEF8064B2A1C738D912CBD9

Function 004C304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 004C335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,004C3077,?,?), ref: 004C3378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 004C307A
_wcslen.LIBCMT ref: 004C309B
htons.WSOCK32(00000000,?,?,00000000), ref: 004C3106

Strings

255.255.255.255, xrefs: 004C3095, 004C309A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d3c5209df74a7f231873a5e5aa31bffbfee2f02e536b178d5b4f55f479140001
Instruction ID: f3acfe79123c2eeb759f278ffa78b72ba8fbfcafc0702058d9365466f6083846
Opcode Fuzzy Hash: d3c5209df74a7f231873a5e5aa31bffbfee2f02e536b178d5b4f55f479140001
Instruction Fuzzy Hash: 3731B23A2002019FDB50DF29C485FAA77E0EF54319F28C05EE9158B392DB7AEE45C765

Function 004D4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 004D4705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 004D4713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004D471A

Strings

msctls_updown32, xrefs: 004D4684

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: ea435fa03d9a3381b2ddbfe86aad0589948ec14ed2bf90500f28a5c8db5e7fc0
Instruction ID: eeca0fdf0b13e5eefb0ba95d9376207a5e6c56eadc571a621743be02dab8851c
Opcode Fuzzy Hash: ea435fa03d9a3381b2ddbfe86aad0589948ec14ed2bf90500f28a5c8db5e7fc0
Instruction Fuzzy Hash: A92151B5600209AFDB10DF65DCD1DBB37ADEB9A398B04005BF6009B391CB75EC11DA64

Function 004A95AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004A961D

Strings

#notrayicon, xrefs: 004A95B7
#OnAutoItStartRegister, xrefs: 004A95F3
#requireadmin, xrefs: 004A95D9

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 9e52a86f6daa4a56baf99550716d5272f9ee2be3103aee2aca53879484da1b1e
Instruction ID: 80e38fbf8443115e0d173aee05e7419fb459e36931e2edfd5f1fa0028beb1319
Opcode Fuzzy Hash: 9e52a86f6daa4a56baf99550716d5272f9ee2be3103aee2aca53879484da1b1e
Instruction Fuzzy Hash: 5721357260421066D331AA26DC02FBB73D89FB6314F14442FFA4A97281EB5DAD56C29E

Function 004D37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 004D3840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 004D3850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 004D3876

Strings

Listbox, xrefs: 004D380F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 3896f27926b5356bfe5291ac1638631c48be5d8dddb3f966dd48cf3fc9744990
Instruction ID: 13a74f170518cd82caec1cf9b5e3600b3b25bf587dff94147f57ad1244dc1713
Opcode Fuzzy Hash: 3896f27926b5356bfe5291ac1638631c48be5d8dddb3f966dd48cf3fc9744990
Instruction Fuzzy Hash: 3E210472600119BBEF219F54CC85FBB37AEEF89754F008126F9009B290C675DC12D7A4

Function 004B49F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 004B4A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 004B4A5C
SetErrorMode.KERNEL32(00000000,?,?,004DCC08), ref: 004B4AD0

Strings

%lu, xrefs: 004B4A6F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 7fe1c2ab4a388395003416380a371522805701318706e014a6b08620a2652059
Instruction ID: 5b683f470ff01471fe4b6c1df3b17ee86dfcc22a2e39b00770b1aca981ebcb21
Opcode Fuzzy Hash: 7fe1c2ab4a388395003416380a371522805701318706e014a6b08620a2652059
Instruction Fuzzy Hash: 87318E74A00109AFDB10DF54C885EAE7BF8EF48308F1480AAE909DB352D775ED46CB65

Function 004D41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 004D424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 004D4264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 004D4271

Strings

msctls_trackbar32, xrefs: 004D4226

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 3c941c36bfc4942e8e44f4b0d09b70d3212f1681df46baf0e66eaa82e8efa9c4
Instruction ID: 50127a500a8c5dc359579f458cd6727c291108e999354b6154d191939e34735f
Opcode Fuzzy Hash: 3c941c36bfc4942e8e44f4b0d09b70d3212f1681df46baf0e66eaa82e8efa9c4
Instruction Fuzzy Hash: DD11E331240208BFEF205F29CC46FAB3BACEF95B64F11012AFA55E2290D675D8119B28

Function 004A2F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

Part of subcall function 004A2DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004A2DC5
Part of subcall function 004A2DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A2DD6
Part of subcall function 004A2DA7: GetCurrentThreadId.KERNEL32 ref: 004A2DDD
Part of subcall function 004A2DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004A2DE4

GetFocus.USER32 ref: 004A2F78

Part of subcall function 004A2DEE: GetParent.USER32(00000000), ref: 004A2DF9

GetClassNameW.USER32(?,?,00000100), ref: 004A2FC3
EnumChildWindows.USER32(?,004A303B), ref: 004A2FEB

Strings

%s%d, xrefs: 004A2FFF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: bea6aa6a8a135b2a6baaa24a93bb140a1ec802427bbe3429048d6056e2742d90
Instruction ID: 0bc569bf23bae8173d30bd299ca2a18b37f34c2932f8fc508cf0beed64782ca7
Opcode Fuzzy Hash: bea6aa6a8a135b2a6baaa24a93bb140a1ec802427bbe3429048d6056e2742d90
Instruction Fuzzy Hash: EB11D5712002056BDF107F658CC5EEE376AAF95309F04407BFD099B292EE789909DB68

Function 004D5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004D58C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 004D58EE
DrawMenuBar.USER32(?), ref: 004D58FD

Strings

0, xrefs: 004D588F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: f8883ecaecbeefbc7e2080c150b5856f278b54c98be727e8a578471784a2b902
Instruction ID: b04b5bece51d957a0a8ee0f12f005dafe6927a80aa7729fed8fcb87a759f746c
Opcode Fuzzy Hash: f8883ecaecbeefbc7e2080c150b5856f278b54c98be727e8a578471784a2b902
Instruction Fuzzy Hash: 3301A171500218EFDB109F11DC55BAFBBB4FB45361F0080ABE848D6251DF348A85DF2A

Function 0049D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0049D3BF
FreeLibrary.KERNEL32 ref: 0049D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0049D3B9
X64, xrefs: 0049D2A8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 7b8393184c221bf24f80ba64d9f2871a559fc1e486f40634f92d135a1c4864a7
Instruction ID: c582575667fc07682611908234fa714cbd58bb43cd1f9925d339bd4a92fc2ebc
Opcode Fuzzy Hash: 7b8393184c221bf24f80ba64d9f2871a559fc1e486f40634f92d135a1c4864a7
Instruction Fuzzy Hash: DAF0EC21D06A2297DF7557104C989AE3F14AF11742B9486B7EC02E524DDB1CCD45C69F

Function 004A007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c014c28e17ccb39788ef984ba0ba97dd4ee9642940ce23ecd047c837800aad9
Instruction ID: 98626709552b6c92df0f29a06992de049f92cd37a9c09b77a91bcad73a023377
Opcode Fuzzy Hash: 0c014c28e17ccb39788ef984ba0ba97dd4ee9642940ce23ecd047c837800aad9
Instruction Fuzzy Hash: 37C16B75A0020AEFCB14CFA4C894BAEB7B5FF59304F20859AE805EB251D735ED42CB94

Function 004C342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004C3459
CoUninitialize.OLE32 ref: 004C3463
VariantInit.OLEAUT32(?), ref: 004C346E
VariantClear.OLEAUT32(?), ref: 004C371B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 77936d54243d88dff453116cf20af080cb71b32dbf2e0764cb3d53f7f4ef6e07
Instruction ID: 7e86fce399edd4b75eb98e23bb1f2809f3d1c2d6beb8e6de4bf329f6e420d8c2
Opcode Fuzzy Hash: 77936d54243d88dff453116cf20af080cb71b32dbf2e0764cb3d53f7f4ef6e07
Instruction Fuzzy Hash: D4A16E79604210AFD710DF25C485E1AB7E4FF88719F04885EF94A9B362DB38ED05CB59

Function 004A0436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,004DFC08,?), ref: 004A05F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,004DFC08,?), ref: 004A0608
CLSIDFromProgID.OLE32(?,?,00000000,004DCC40,000000FF,?,00000000,00000800,00000000,?,004DFC08,?), ref: 004A062D
_memcmp.LIBVCRUNTIME ref: 004A064E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 1598e95be5655e2fd8b12dc8d07726dd336745e2e712224f76858938b6dc7f37
Instruction ID: a982c96c7781af07c8f0c91e66fa6bd8a67aff6888e3d06469d274ad82e1960a
Opcode Fuzzy Hash: 1598e95be5655e2fd8b12dc8d07726dd336745e2e712224f76858938b6dc7f37
Instruction Fuzzy Hash: A0814A71A00109EFCB04DF94C988EEEB7B9FF9A315F204159F506AB250DB75AE06CB64

Function 004CA67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 004CA6AC
Process32FirstW.KERNEL32(00000000,?), ref: 004CA6BA

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Process32NextW.KERNEL32(00000000,?), ref: 004CA79C
CloseHandle.KERNEL32(00000000), ref: 004CA7AB

Part of subcall function 0045CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00483303,?), ref: 0045CE8A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: a7e222f822826e181404b6f632ed211451cc965ce562fa3305c9853b6f56c933
Instruction ID: 286eea78f7ebc1037b3ca36e03b34f0a1ff119c2932cfc6224ccd6c25f19aa7b
Opcode Fuzzy Hash: a7e222f822826e181404b6f632ed211451cc965ce562fa3305c9853b6f56c933
Instruction Fuzzy Hash: F4516E75508301AFD710EF25C886E6BBBE8FF89758F00492EF98597252EB34D904CB96

Function 00481391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004814C0

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 175d349b275fde42403e49eeed0190081a4478ae6eaed9000366fdee04815883
Instruction ID: 6f2dbfc4c082461a509bfd37ce96e1ab68ee3a353328b9f41e692deec3ae0c31
Opcode Fuzzy Hash: 175d349b275fde42403e49eeed0190081a4478ae6eaed9000366fdee04815883
Instruction Fuzzy Hash: 2F417071A001006BDB217BBA9C45ABF3BACEF41734F144A6BF418C62B1E67C4843576E

Function 004D6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004D62E2
ScreenToClient.USER32(?,?), ref: 004D6315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 004D6382

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: aaa3884a15ebc6e81b1ef6038e290de3e4c3300506d15243919c667ddc1566fe
Instruction ID: cd0f5c1c45702ed9e3acacddbf467c15daf66712b0086820a72fa60944cff3a8
Opcode Fuzzy Hash: aaa3884a15ebc6e81b1ef6038e290de3e4c3300506d15243919c667ddc1566fe
Instruction Fuzzy Hash: CF514A74A00209AFCF10DF68D8909AE7BB5EF55360F11826BF9259B390D734ED41CB94

Function 004C1AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004C1AFD
WSAGetLastError.WSOCK32 ref: 004C1B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 004C1B8A
WSAGetLastError.WSOCK32 ref: 004C1B94

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 518ebdeaa2ce82bd8b13142bdb4118e611ed1b9941d718c141e03175152b6b62
Instruction ID: d4f162c6049bd760763204c078b893079eb55226a702b7b7ccfa4f0031050f97
Opcode Fuzzy Hash: 518ebdeaa2ce82bd8b13142bdb4118e611ed1b9941d718c141e03175152b6b62
Instruction Fuzzy Hash: 9041D538600201AFE720AF21C886F2677E5AB45718F54845EF9169F3D3E77AED42CB94

Function 0047B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3d3c39b542f68506b9ea5543e2ca34a75aecb67a33fb7a6aae5f6a6c0fc92e7
Instruction ID: 998abe61d2193a6ab3bb89d55d15a32d2e64759f45128d90db0549c27154fc19
Opcode Fuzzy Hash: b3d3c39b542f68506b9ea5543e2ca34a75aecb67a33fb7a6aae5f6a6c0fc92e7
Instruction Fuzzy Hash: 2341E671A00704BFD724AF39C841BAABBA9EB84714F10852FF549DB292D779994187C4

Function 004B56D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 004B5783
GetLastError.KERNEL32(?,00000000), ref: 004B57A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 004B57CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 004B57FA

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: ff0154770d8b9a5dc8f16829245b2a50124b409c364071eaa98ed39745458c56
Instruction ID: 320549d413e82f32af03376d58cc566e6a1bd7fa0bf839db32533621b2b93766
Opcode Fuzzy Hash: ff0154770d8b9a5dc8f16829245b2a50124b409c364071eaa98ed39745458c56
Instruction Fuzzy Hash: 8D414135600610DFDB11EF16C584A5EBBE1EF49319B18889AEC4A5F361CB38FD01CB95

Function 0047D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00466D71,00000000,00000000,004682D9,?,004682D9,?,00000001,00466D71,?,00000001,004682D9,004682D9), ref: 0047D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0047D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0047D9AB
__freea.LIBCMT ref: 0047D9B4

Part of subcall function 00473820: RtlAllocateHeap.NTDLL(00000000,?,00511444,?,0045FDF5,?,?,0044A976,00000010,00511440,004413FC,?,004413C6,?,00441129), ref: 00473852

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 20d83221810b4dcfa51e20f72d6da70f53a28705cd54b5ce694e37b902652127
Instruction ID: 98a71480fb4f13076a837ad5b3108f33b4284f82f1c86bca29e39467fcffc922
Opcode Fuzzy Hash: 20d83221810b4dcfa51e20f72d6da70f53a28705cd54b5ce694e37b902652127
Instruction Fuzzy Hash: E531DFB2A1021AABDB249F65DC41EEF7BB5EF40310F05826AFD0896250E739CD50CB95

Function 004D52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 004D5352
GetWindowLongW.USER32(?,000000F0), ref: 004D5375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 004D5382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004D53A8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: c0d50b07211dbf753d4482b6c16d4f8700ce75a8ba501efe1224202b1bd5d538
Instruction ID: a49919a1f5e09118e2096183bc1c00c0845a6718d91db8f1dbc11d4f76e5938f
Opcode Fuzzy Hash: c0d50b07211dbf753d4482b6c16d4f8700ce75a8ba501efe1224202b1bd5d538
Instruction Fuzzy Hash: CF31E330A55A08EFEB309F14CC65BEA3761AB05390F584103FE10963E1CFB8AD50EB4A

Function 004AAB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 004AABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 004AAC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 004AAC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 004AACC6

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3d7fea61392394a6092d229cb0c5cd4f43ef4e8c6a75a5ce92bf33e0c0b15a9b
Instruction ID: 40043c2a0c3c661470ce19e209218f9fca30a6ec91bb5bb8bbface2ae7e58682
Opcode Fuzzy Hash: 3d7fea61392394a6092d229cb0c5cd4f43ef4e8c6a75a5ce92bf33e0c0b15a9b
Instruction Fuzzy Hash: 4F311670A006186FFF35CB6588087FB7BA6ABA7330F04421BE481922D1C37D89A1C75A

Function 004D7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004D769A
GetWindowRect.USER32(?,?), ref: 004D7710
PtInRect.USER32(?,?,004D8B89), ref: 004D7720
MessageBeep.USER32(00000000), ref: 004D778C

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1f900d0f9a7a37351b4cbef90bf8f2a464dd94d1f7983a5a0bb1dde9e2325290
Instruction ID: 8f3a65c4a8ff03e7a759bd4d1f5725d529b9a937930d519c53d682d88f4dd903
Opcode Fuzzy Hash: 1f900d0f9a7a37351b4cbef90bf8f2a464dd94d1f7983a5a0bb1dde9e2325290
Instruction Fuzzy Hash: 34419C34A092159FCB01CF58C8A8EA977F4BB49314F1885ABE5249B361E338F945CF98

Function 004D16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004D16EB

Part of subcall function 004A3A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 004A3A57
Part of subcall function 004A3A3D: GetCurrentThreadId.KERNEL32 ref: 004A3A5E
Part of subcall function 004A3A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,004A25B3), ref: 004A3A65

GetCaretPos.USER32(?), ref: 004D16FF
ClientToScreen.USER32(00000000,?), ref: 004D174C
GetForegroundWindow.USER32 ref: 004D1752

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: ade4181b589b7775c423c86fe611288d8c9837b24b56d04d30bee13cd4edbbd3
Instruction ID: 0a04db13fd0ee4e6d4adf26e5b4dc06a50121e452adf452a93ae64d024ab87af
Opcode Fuzzy Hash: ade4181b589b7775c423c86fe611288d8c9837b24b56d04d30bee13cd4edbbd3
Instruction Fuzzy Hash: D8315E75D01249AFD700DFAAC8C18AEB7F9EF49308B5480ABE415E7211E7359E45CBA4

Function 004D8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

GetCursorPos.USER32(?), ref: 004D9001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00497711,?,?,?,?,?), ref: 004D9016
GetCursorPos.USER32(?), ref: 004D905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00497711,?,?,?), ref: 004D9094

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 4390e80675207fbeb0eeeb8e8e83242288aa10403112035c62a96edc71fa6b60
Instruction ID: 13b8a4e9fc8e3f57add1d32b8bfe3de1062370f23f9fcf4f1cabd224e5859f1e
Opcode Fuzzy Hash: 4390e80675207fbeb0eeeb8e8e83242288aa10403112035c62a96edc71fa6b60
Instruction Fuzzy Hash: 38219E31600018FFDB169F94D8A8EEA3BB9EF49350F0481ABF9058B361C3359D50DB64

Function 004AD2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,004DCB68), ref: 004AD2FB
GetLastError.KERNEL32 ref: 004AD30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 004AD319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,004DCB68), ref: 004AD376

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0308c23645edc4cd9090e24b7d84c4b4f5d3c9dfa31ba4f6abb5560a37225735
Instruction ID: 1a56ec8e2de61954e0d0b8e79fb5e106c3b73b29e309e54118aa7ecd19b79cd3
Opcode Fuzzy Hash: 0308c23645edc4cd9090e24b7d84c4b4f5d3c9dfa31ba4f6abb5560a37225735
Instruction Fuzzy Hash: D72194709052019F8B00DF29C88146F77E4AF66358F104A6FF896C76A1D734DD46CB9B

Function 004A1571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 004A102A
Part of subcall function 004A1014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 004A1036
Part of subcall function 004A1014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1045
Part of subcall function 004A1014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 004A104C
Part of subcall function 004A1014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 004A1062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004A15BE
_memcmp.LIBVCRUNTIME ref: 004A15E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004A1617
HeapFree.KERNEL32(00000000), ref: 004A161E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7c5cab6a9adc8f937351826cfcb86d3df126583ed39bd5baac50f3bd41d5aeb8
Instruction ID: 7dcdc3a462846f7a98e1eb8cc9406d212eb466ef1673c32e2a142dd7fd6fde4f
Opcode Fuzzy Hash: 7c5cab6a9adc8f937351826cfcb86d3df126583ed39bd5baac50f3bd41d5aeb8
Instruction Fuzzy Hash: A3219D31E41109EFDF00DFA4C945BEFB7B8EF56344F08445AE441AB261E738AA05CBA4

Function 004D2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 004D280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D2824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 004D2832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 004D2840

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 0c71e76a39449fbc67f71344197956211f9b0553544a23c149f900fef4091b1a
Instruction ID: 1b3e7198f5bbff1fb9e761f408cd0d6d1153e514e34a056da38bcb3ae55b1b44
Opcode Fuzzy Hash: 0c71e76a39449fbc67f71344197956211f9b0553544a23c149f900fef4091b1a
Instruction Fuzzy Hash: B9210031205111AFD7109B24C9A0FAABB95EF55328F14825BF4268B3E2C7B9FC42C798

Function 004A78F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004A8D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,004A790A,?,000000FF,?,004A8754,00000000,?,0000001C,?,?), ref: 004A8D8C
Part of subcall function 004A8D7D: lstrcpyW.KERNEL32(00000000,?,?,004A790A,?,000000FF,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A8DB2
Part of subcall function 004A8D7D: lstrcmpiW.KERNEL32(00000000,?,004A790A,?,000000FF,?,004A8754,00000000,?,0000001C,?,?), ref: 004A8DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A7923
lstrcpyW.KERNEL32(00000000,?,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A7949
lstrcmpiW.KERNEL32(00000002,cdecl,?,004A8754,00000000,?,0000001C,?,?,00000000), ref: 004A7984

Strings

cdecl, xrefs: 004A797B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8775131b9b94ca468139123d93f5c0064aec40b17f14d2e2f67ec8bbfce7ba8f
Instruction ID: 509687913b0c37282026e872e5027bfa20625c91b5b9fad6cd85afd04c5c36d3
Opcode Fuzzy Hash: 8775131b9b94ca468139123d93f5c0064aec40b17f14d2e2f67ec8bbfce7ba8f
Instruction Fuzzy Hash: 6611037A201202ABDB259F39CC45E7B77A9FF96354B40402FF802C73A4EB359811C7A9

Function 004D7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 004D7D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 004D7D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 004D7D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,004BB7AD,00000000), ref: 004D7D6B

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: e81c573fb7cb0e757388a87ac243c8ec438454bf2472e04f7727fd1c0afdc30b
Instruction ID: b18d8aa63c24655f6205e7434e52b755bbcd4d8531fe05a1468ec0d92b6ea7a3
Opcode Fuzzy Hash: e81c573fb7cb0e757388a87ac243c8ec438454bf2472e04f7727fd1c0afdc30b
Instruction Fuzzy Hash: FC11CD31205625AFCB108F28CC54AA63BA6AF45360B118327F93AC73F0E7349951DB48

Function 004D5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 004D56BB
_wcslen.LIBCMT ref: 004D56CD
_wcslen.LIBCMT ref: 004D56D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 004D5816

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 948fa785b0f3d027f3672580c03e90aeca2a8b3e0a10b981a453d43264046542
Instruction ID: f70eeee61b37d2f99d075fae6d288b7fc304222dd3e9a8baafd71933fe31f63f
Opcode Fuzzy Hash: 948fa785b0f3d027f3672580c03e90aeca2a8b3e0a10b981a453d43264046542
Instruction Fuzzy Hash: 0011D271600608A6DB20DB658C91AEE37ACEB11364B10406BF91596281EF78C984CB6D

Function 00471D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8170cd704d98053a7c533178d32982561c1cb015dd1faaa1654326032e87854e
Instruction ID: e4ce1974a869e209f734acdd605bd55bc18ec583b26f87f9278e564935526d28
Opcode Fuzzy Hash: 8170cd704d98053a7c533178d32982561c1cb015dd1faaa1654326032e87854e
Instruction Fuzzy Hash: 8A01F7F22056163EF621167C7CC1FA7671CDF413B8F34832BF529912E1DB689C405928

Function 004A1A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 004A1A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A1A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A1A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 004A1A8A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 027376dd4c6df002427607145238f7d8e6850e2b93a2849e473bcac6b98ca45c
Instruction ID: db1206e9744381a2b6116de1b78b5958f9bb0c0d6a64a905431cc192e6494f91
Opcode Fuzzy Hash: 027376dd4c6df002427607145238f7d8e6850e2b93a2849e473bcac6b98ca45c
Instruction Fuzzy Hash: AD113C3AD01219FFEB10DBA5CD85FADBB78EB15750F200092E600B7290D6716E50DB98

Function 004AE1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004AE1FD
MessageBoxW.USER32(?,?,?,?), ref: 004AE230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 004AE246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004AE24D

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 27e846efd7271b0c7e5bf23445bb114121d8a96ac445db88fea091a2b2064b78
Instruction ID: 14327a9de35e3f84be5e7d4eacf3e66f0750f66ababda21258b09cbc1ef9be48
Opcode Fuzzy Hash: 27e846efd7271b0c7e5bf23445bb114121d8a96ac445db88fea091a2b2064b78
Instruction Fuzzy Hash: BA110872E04259BBC7019BA99C49BDF7FACDB56310F0086A6F935D3291D2748D0487A8

Function 0046D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0046CFF9,00000000,00000004,00000000), ref: 0046D218
GetLastError.KERNEL32 ref: 0046D224
__dosmaperr.LIBCMT ref: 0046D22B
ResumeThread.KERNEL32(00000000), ref: 0046D249

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: e3e6754619fe229ec3ce3358fbbbaada51671352c706bcbe36fc6f676a3df27d
Instruction ID: 185c4b4b806d7e22eaa87621dd1c17646272a937dcd2fd26d974b53fc305ec6c
Opcode Fuzzy Hash: e3e6754619fe229ec3ce3358fbbbaada51671352c706bcbe36fc6f676a3df27d
Instruction Fuzzy Hash: 3A012636D052047BCB105BA6DC05BAF7B68DF81334F10426BF824921D0EF75C901C6AB

Function 004D9EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00459BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00459BB2

GetClientRect.USER32(?,?), ref: 004D9F31
GetCursorPos.USER32(?), ref: 004D9F3B
ScreenToClient.USER32(?,?), ref: 004D9F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 004D9F7A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: fdb46f825d0c9c0a02048e3c3985d8b2bca7e246593491caa4f59fdc47d02380
Instruction ID: c0f480d867c035fd48f5ecb899952186af955f961292ce2f631643572e8a8646
Opcode Fuzzy Hash: fdb46f825d0c9c0a02048e3c3985d8b2bca7e246593491caa4f59fdc47d02380
Instruction Fuzzy Hash: 47114832A0011ABBDB00DF69D8999EE77B8FB05315F40056BF911E3240D338BE81CBA9

Function 0044600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044604C
GetStockObject.GDI32(00000011), ref: 00446060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0044606A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 65e84a1f5ffe90201bde4ec3030c145bac4accdf6b6e1ebd9ef25b6dec211cc3
Instruction ID: a1ecd2a35bdc41763f742d6e1e2133045762a127e5ed639f7c99f76b3d1ff69e
Opcode Fuzzy Hash: 65e84a1f5ffe90201bde4ec3030c145bac4accdf6b6e1ebd9ef25b6dec211cc3
Instruction Fuzzy Hash: 2E11A1B2102509BFEF128FA4CC44EEBBB69EF09355F010217FA1452110C736DC60DBA5

Function 00463B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00463B56

Part of subcall function 00463AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00463AD2
Part of subcall function 00463AA3: ___AdjustPointer.LIBCMT ref: 00463AED

_UnwindNestedFrames.LIBCMT ref: 00463B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00463B7C
CallCatchBlock.LIBVCRUNTIME ref: 00463BA4

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: baef11e2670b8e669d5dc69bc645bd4508640475bad923596370180b6adc5e1f
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 80018032100189BBDF125E96CC42DEB3F6DEF88759F04400AFE4856121E73AE961DBA5

Function 00473073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,004413C6,00000000,00000000,?,0047301A,004413C6,00000000,00000000,00000000,?,0047328B,00000006,FlsSetValue), ref: 004730A5
GetLastError.KERNEL32(?,0047301A,004413C6,00000000,00000000,00000000,?,0047328B,00000006,FlsSetValue,004E2290,FlsSetValue,00000000,00000364,?,00472E46), ref: 004730B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0047301A,004413C6,00000000,00000000,00000000,?,0047328B,00000006,FlsSetValue,004E2290,FlsSetValue,00000000), ref: 004730BF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: cd460baee730a5fc062a3830443ea61a31d7ed47ba38f6cc8f0673754b835c48
Instruction ID: 5e7b070fca632c926db95e8c61440554c631d2e6c48814794bd542727d34338c
Opcode Fuzzy Hash: cd460baee730a5fc062a3830443ea61a31d7ed47ba38f6cc8f0673754b835c48
Instruction Fuzzy Hash: 4B01FC32752263ABCB314F789C849D777989F05B62B108732F909D7284D725D905D6D8

Function 004A7464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 004A747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 004A7497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 004A74AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 004A74CA

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 06cf105919da84dd6528e902219d047aea51d88f6e12889b535f7c86b01ae603
Instruction ID: 3050082cd5ca89934f75524ba3deb1d905f38cb66990f7fe957bc9a23a36e035
Opcode Fuzzy Hash: 06cf105919da84dd6528e902219d047aea51d88f6e12889b535f7c86b01ae603
Instruction Fuzzy Hash: 0A11ADB120A311AFE7308F14DD48B927BFCEB09B00F10856BE616D6191D7B4E904DBA5

Function 004AB0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,004AACD3,?,00008000), ref: 004AB126

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 427a209ace80c095cc8a1610c761dbed6a10fd2c332abe7ed14676c8004223e0
Instruction ID: 4a88bd620ab87f1c5a41ab028966d3fb503e972ba1393ac22d5179d0d8c360d4
Opcode Fuzzy Hash: 427a209ace80c095cc8a1610c761dbed6a10fd2c332abe7ed14676c8004223e0
Instruction Fuzzy Hash: 4A115E31C0152DE7CF009FE5D9986EEBB78FF2A751F1040A7D941B6282CB345651CB99

Function 004D7E14 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 004D7E33
ScreenToClient.USER32(?,?), ref: 004D7E4B
ScreenToClient.USER32(?,?), ref: 004D7E6F
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004D7E8A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 23650e8f1e8a09cbd1bb4709f9152d47dd88e1088ee2bb693f424b3ee7cbaa78
Instruction ID: 34ab880896ad92d93435ca30d8b98aaab698f739ca6b87f4ccd9e92b3def29ad
Opcode Fuzzy Hash: 23650e8f1e8a09cbd1bb4709f9152d47dd88e1088ee2bb693f424b3ee7cbaa78
Instruction Fuzzy Hash: 3C1140B9D0020AAFDB41CF98C884AEEBBF9FB08310F509166E915E2210D735AA54CF94

Function 004A2DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 004A2DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 004A2DD6
GetCurrentThreadId.KERNEL32 ref: 004A2DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 004A2DE4

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 875ce4e6fa84875c9714ca1075041573b23a2489e474233f0260d040329d8919
Instruction ID: c640dc4997dd81bfc8981cc77e39e8818434e40ab040f886a04aa59b1adb4f35
Opcode Fuzzy Hash: 875ce4e6fa84875c9714ca1075041573b23a2489e474233f0260d040329d8919
Instruction Fuzzy Hash: ACE092711422257BDB201B769C4DFEB3F6CEF53BA1F000027F505D10819AE8C841D6B4

Function 004D8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00459639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00459693
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596A2
Part of subcall function 00459639: BeginPath.GDI32(?), ref: 004596B9
Part of subcall function 00459639: SelectObject.GDI32(?,00000000), ref: 004596E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 004D8887
LineTo.GDI32(?,?,?), ref: 004D8894
EndPath.GDI32(?), ref: 004D88A4
StrokePath.GDI32(?), ref: 004D88B2

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: f5ab688d72cffe9a957683257d67deb686fbeca8addc102e9761c82c06749508
Instruction ID: 2664e38b7238247bb07a401e116605790665306b17a4334baa32ab1815d2c055
Opcode Fuzzy Hash: f5ab688d72cffe9a957683257d67deb686fbeca8addc102e9761c82c06749508
Instruction Fuzzy Hash: 18F09A36002259FADB122F94AC09FDE3B19AF06310F008012FA11611E2C7781515DFAD

Function 004598B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 004598CC
SetTextColor.GDI32(?,?), ref: 004598D6
SetBkMode.GDI32(?,00000001), ref: 004598E9
GetStockObject.GDI32(00000005), ref: 004598F1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: e26463eab76b0fc71440375ccb2d85fe008c63a816323d3d9392049652d7d88b
Instruction ID: b099cf2ee14519a9ff141320a8571acd5c6f363b4344eb77e9d1607a7d2e3d4e
Opcode Fuzzy Hash: e26463eab76b0fc71440375ccb2d85fe008c63a816323d3d9392049652d7d88b
Instruction Fuzzy Hash: 57E03931245291AADF215B74AC49BED3F60AB12336F04822BF6FA581E2C3754640DF14

Function 004A162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 004A1634
OpenThreadToken.ADVAPI32(00000000,?,?,?,004A11D9), ref: 004A163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004A11D9), ref: 004A1648
OpenProcessToken.ADVAPI32(00000000,?,?,?,004A11D9), ref: 004A164F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 02697746fb84ed9abf6250e8d851bdfb5cb9cd2586addd8346ae99a9b8fc4a02
Instruction ID: 35d023e7b05fb92314854e21ee2d9a1adc1f5b86a08682e16fb29d83da064714
Opcode Fuzzy Hash: 02697746fb84ed9abf6250e8d851bdfb5cb9cd2586addd8346ae99a9b8fc4a02
Instruction Fuzzy Hash: 58E08631603212DBDB201FE09E4DB473B7CAF657A1F14482AF646C9090D6384440C798

Function 0049D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0049D858
GetDC.USER32(00000000), ref: 0049D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049D882
ReleaseDC.USER32(?), ref: 0049D8A3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: a3498a10f2bb73d47a91dcc14269409cd809ebd074732f6f2e776d94ee45b594
Instruction ID: 3aaf4053f2078168c9955281b5f654ba84837fd02694930be7fe47ba03efe72d
Opcode Fuzzy Hash: a3498a10f2bb73d47a91dcc14269409cd809ebd074732f6f2e776d94ee45b594
Instruction Fuzzy Hash: 66E01AB0C01206DFCF41AFA1D88C66DBBB2FB08311F18802AE806E7250C7388906EF49

Function 0049D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0049D86C
GetDC.USER32(00000000), ref: 0049D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049D882
ReleaseDC.USER32(?), ref: 0049D8A3

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: afb1cae67f1dbccf9c3338bf22ba5292c787c2f63e3ce4fe37678ff89ba98f3d
Instruction ID: 8a0dd66dbd2cf0e8632969383f4558a253f4a699c4b0c1b5bdf8a92fedab7319
Opcode Fuzzy Hash: afb1cae67f1dbccf9c3338bf22ba5292c787c2f63e3ce4fe37678ff89ba98f3d
Instruction Fuzzy Hash: 01E01A70C01201DFCF519FA0D88C66DBBB1FB08311B18801AE806E7250C7389906DF48

Function 004B4D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00447620: _wcslen.LIBCMT ref: 00447625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 004B4ED4

Strings

LPT, xrefs: 004B4DFB
*, xrefs: 004B4E10

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 09e0236145630ea69f77f7ab70e3ccb08476f1a3f1a3636ed2f6c9e7f7cdd5b3
Instruction ID: fc6d50f192e5efcd8ea09b424c24f5cd83eeac2870246fe44556ac36402dc668
Opcode Fuzzy Hash: 09e0236145630ea69f77f7ab70e3ccb08476f1a3f1a3636ed2f6c9e7f7cdd5b3
Instruction Fuzzy Hash: 82916275A002149FDB14DF59C484EAABBF1BF84308F15809EE80A9F362D739ED46CB65

Function 0046E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0046E30D

Strings

pow, xrefs: 0046E2E5, 0046E302

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: d2ec362d2247b156f66eebbbbb5ecf01cdf7222e8afdbdbd2750263e8486627f
Instruction ID: b9c5f7d86daa2e0ed5751245eefc63fb416e1e6520d516d18cfaac5e2b88b105
Opcode Fuzzy Hash: d2ec362d2247b156f66eebbbbb5ecf01cdf7222e8afdbdbd2750263e8486627f
Instruction Fuzzy Hash: 34513B65A0C20296CB157715C9413FB3BD89B40740F60C9ABE499863E9FF3D8CD59A8F

Function 004C7771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0049569E,00000000,?,004DCC08,?,00000000,00000000), ref: 004C78DD

Part of subcall function 00446B57: _wcslen.LIBCMT ref: 00446B6A

CharUpperBuffW.USER32(0049569E,00000000,?,004DCC08,00000000,?,00000000,00000000), ref: 004C783B

Strings

<sP, xrefs: 004C77C8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <sP
API String ID: 3544283678-3175726631
Opcode ID: 54d96038577731159b43ad5261e1892af406e9be15824d66bceb810929d6c411
Instruction ID: a53b1428dbe54a61496e558a0edd951661e58ad60d94939172bb17e6dfdc153d
Opcode Fuzzy Hash: 54d96038577731159b43ad5261e1892af406e9be15824d66bceb810929d6c411
Instruction Fuzzy Hash: 08616E76914119ABEF04FFA5CC91EFEB374BF14704B44052FE602A3191EB386A05DBA9

Function 0045E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0045E1B1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3e6ac99848bb605edfe9246f7fd244e9b7fae93246d95f4b24dc47cd5f51c8d7
Instruction ID: b4315caa145df46ccb7fd89d66e4fc10af2c076208bdc4ae863a783938ca52a6
Opcode Fuzzy Hash: 3e6ac99848bb605edfe9246f7fd244e9b7fae93246d95f4b24dc47cd5f51c8d7
Instruction Fuzzy Hash: B0512235504206DFDF18DFAAC0806BA7BA4EF55310F2440ABFC519B391D6389E47CB6A

Function 0045F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0045F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0045F2BB

Strings

@, xrefs: 0045F2AF

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 4538dff3fd4836339bfc40263d9710bb2781d9f4dea7ae7cf927123355d85d65
Instruction ID: 34a939415a702d6c7226b88bc9533915341ea8f3f7fad2a26033a73c6dfb2535
Opcode Fuzzy Hash: 4538dff3fd4836339bfc40263d9710bb2781d9f4dea7ae7cf927123355d85d65
Instruction Fuzzy Hash: DD5155714097449BE320AF51D886BAFBBF8FB84304F81885EF1D9411A5EB358529CB6B

Function 004C5745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 004C57E0
_wcslen.LIBCMT ref: 004C57EC

Strings

CALLARGARRAY, xrefs: 004C57E6, 004C57EB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: daf429c218019d91477579fbb89ea123c851862e0eb7275cedd5cb9f5d18cfb1
Instruction ID: b039225f3c0b8f1924038c040c322aa6086fa70ee05cfdbc7127f434df01eec2
Opcode Fuzzy Hash: daf429c218019d91477579fbb89ea123c851862e0eb7275cedd5cb9f5d18cfb1
Instruction Fuzzy Hash: 9341A135A001059FCB14EFAAC881DAEBBB5EF59354F10406EF505A7352D738AD81CBA8

Function 004BD0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004BD130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004BD13A

Strings

|, xrefs: 004BD10B

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 2ee2b61de4ba264264921098ebee19c5feb20cf9203e359011c142a940ca8a52
Instruction ID: 97d0fa522cf00627de11069acf3e5aef7b2f3a08354bfaf10af945ac474c0140
Opcode Fuzzy Hash: 2ee2b61de4ba264264921098ebee19c5feb20cf9203e359011c142a940ca8a52
Instruction Fuzzy Hash: A6315071D00209ABDF15EFA5CC85AEF7FB9FF05304F10005AF815A6261E735A906CB69

Function 004D356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 004D3621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 004D365C

Strings

static, xrefs: 004D35BC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 2f55c15cc4cef9b8d1fd29aa5476389035e451670476e82d4a645b920e90d0bd
Instruction ID: e1354b893329e14a86276c5e1b0cc98c33cb79a2a3a18fcfd104cbf1477665a1
Opcode Fuzzy Hash: 2f55c15cc4cef9b8d1fd29aa5476389035e451670476e82d4a645b920e90d0bd
Instruction Fuzzy Hash: 1631AE71100604AADB20DF28DC90ABB73A9FF48724F00861FF8A597280DA39ED81D769

Function 004D4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 004D461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 004D4634

Strings

', xrefs: 004D458E

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: bde404b34ffff47073bd94a9ca1ec898818a83c058ceafcb0084d58d9cc4641b
Instruction ID: 03f51e7ef033263042f15b21f0236713621bd572ee70497e4af5210c61d5f84b
Opcode Fuzzy Hash: bde404b34ffff47073bd94a9ca1ec898818a83c058ceafcb0084d58d9cc4641b
Instruction Fuzzy Hash: 92312774A0120AAFDB14CFA9D9A1BDA7BB5FF49300F10406BEA05AB381D774E941CF94

Function 004D31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 004D327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004D3287

Strings

Combobox, xrefs: 004D3249

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 85faac9b5f1fd0a7ed863b29855315abec2e746e800ceeff68f94d24d302e6ce
Instruction ID: 3b457fb67f3f3924f69618d8a80f09f709bb9dbb7456207f2377ca6322dc6b7f
Opcode Fuzzy Hash: 85faac9b5f1fd0a7ed863b29855315abec2e746e800ceeff68f94d24d302e6ce
Instruction Fuzzy Hash: C9112271B002087FFF219F94DC90EBB3B6AEB98364F10412BF91897390C6399D518765

Function 004D3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0044600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0044604C
Part of subcall function 0044600E: GetStockObject.GDI32(00000011), ref: 00446060
Part of subcall function 0044600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0044606A

GetWindowRect.USER32(00000000,?), ref: 004D377A
GetSysColor.USER32(00000012), ref: 004D3794

Strings

static, xrefs: 004D3757

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: eb57c96b918cdaa56d1f626eb82be2ef7fb499d5b63829b9e5cbaff2f103bda5
Instruction ID: fc0cd06173cac8f1bbfd3cf2a2525b9ad7b54a156b47af07ae6bf56b961d23c6
Opcode Fuzzy Hash: eb57c96b918cdaa56d1f626eb82be2ef7fb499d5b63829b9e5cbaff2f103bda5
Instruction Fuzzy Hash: 011159B261060AAFDF00DFA8CC46AEA7BB8EB08304F00452AF955E2250D739E811DB64

Function 004BCD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 004BCD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 004BCDA6

Strings

<local>, xrefs: 004BCD66

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ce9d563cbc023c67c2ffb78bfb61432b0ffb826bdf7fa9c688e809ca380ba349
Instruction ID: 6593229dd68f8330d21f8bcc2e13eb8938a26f9a109c86a3041524e2ce44e710
Opcode Fuzzy Hash: ce9d563cbc023c67c2ffb78bfb61432b0ffb826bdf7fa9c688e809ca380ba349
Instruction Fuzzy Hash: 0311C279245632BAD7384B668CC9EE7BEACEF527A4F40423BB14983180D7789841D6F4

Function 004D3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004D34AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004D34BA

Strings

edit, xrefs: 004D348F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 0dfbe3b06bc623a6073ca19c96c83c7f88adb74e936b347bfcee1f13724a0fd8
Instruction ID: 2f59a3fba9966ff46245516af3b08cc07ef20119f7348624a7216ad763ab03e4
Opcode Fuzzy Hash: 0dfbe3b06bc623a6073ca19c96c83c7f88adb74e936b347bfcee1f13724a0fd8
Instruction Fuzzy Hash: A1116D71100108AAEB118E64ECA4AEB376AEB15379F504327F961933D0C77DEC519B5A

Function 004A6C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

CharUpperBuffW.USER32(?,?,?), ref: 004A6CB6
_wcslen.LIBCMT ref: 004A6CC2

Strings

STOP, xrefs: 004A6CBC, 004A6CC1

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 585f838addd6a1dcfa1d862e0a6b0067b0df7693e44685537eafc5f3cb32a4e4
Instruction ID: 51f64ff4f491644127389aad8bd5d4712397159713f694c84840bab8a5ce5ed0
Opcode Fuzzy Hash: 585f838addd6a1dcfa1d862e0a6b0067b0df7693e44685537eafc5f3cb32a4e4
Instruction Fuzzy Hash: 300104326005278BDB20AFBDDC808BF37A4EF72764716052AE86292295EB39D900C658

Function 004A1CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 004A1D4C

Strings

ListBox, xrefs: 004A1D16
ComboBox, xrefs: 004A1CEB

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 262886b944b74f2666aae01c137df1a02ea99058284643ea095d9063cb77da5a
Instruction ID: 15b7849d1167e34117b6e4773c509ced9e1cce4180d483045116549f4b1e2cc6
Opcode Fuzzy Hash: 262886b944b74f2666aae01c137df1a02ea99058284643ea095d9063cb77da5a
Instruction Fuzzy Hash: 0601F535611214ABDB04EBA4CC518FF7768FB23354F00061FB832573D1EA3869089664

Function 004A1BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 004A1C46

Strings

ListBox, xrefs: 004A1C10
ComboBox, xrefs: 004A1BE5

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 071a49af97f0ce6f05aef86313eab9341a6e2db73793d0a2dccfd44056e4b402
Instruction ID: d21346630dbf068fb782e4f9e67ee212914faffb0e9e8c5e8d863d645ead0480
Opcode Fuzzy Hash: 071a49af97f0ce6f05aef86313eab9341a6e2db73793d0a2dccfd44056e4b402
Instruction Fuzzy Hash: 5901A775AC110466DB14FB91CD519FF77A89B27394F14001FB407672D2EA289E08D6B9

Function 004A1C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 004A1CC8

Strings

ListBox, xrefs: 004A1C94
ComboBox, xrefs: 004A1C69

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8cbfb959939cb0bc9baa5f2f0d27be3b8cd24e6d1caf9223ccbeacf4a14da1a8
Instruction ID: f7a51ce49430393806f4c2f418fc2b9c8c77bb6fc90578602ee0c1d10dfc0609
Opcode Fuzzy Hash: 8cbfb959939cb0bc9baa5f2f0d27be3b8cd24e6d1caf9223ccbeacf4a14da1a8
Instruction Fuzzy Hash: 5201DB75A8111467DF04FB95CE41AFF77A89B23354F54001BB80273291FA289F08D6B9

Function 0045A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0045A529

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Strings

3yI, xrefs: 0045A545, 0045A54D, 0045A552
,%Q, xrefs: 0045A509

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%Q$3yI
API String ID: 2551934079-1071883843
Opcode ID: b2421759035faadda96409f4d5995b7c02545e247171ecd844caccc2912c28cf
Instruction ID: 648746e381d02eb8b48b1fab99bc4f4a83cb9c0427ee793c85b59d53f0d1da34
Opcode Fuzzy Hash: b2421759035faadda96409f4d5995b7c02545e247171ecd844caccc2912c28cf
Instruction Fuzzy Hash: 7901473170061497D600F7A9D85BE9E3354AB05715F50011FF9021B2C3FE5C6D598A9F

Function 004A1D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00449CB3: _wcslen.LIBCMT ref: 00449CBD

Part of subcall function 004A3CA7: GetClassNameW.USER32(?,?,000000FF), ref: 004A3CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 004A1DD3

Strings

ListBox, xrefs: 004A1DA0
ComboBox, xrefs: 004A1D75

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a4ebf01f1b1661291d97dc04fda52d19682a7369e3b0a27b14d596ab95f65b68
Instruction ID: 22d49934ac4b6e9a1eaf528c44c616dc7801ff811ab3188651c4907c5c818e70
Opcode Fuzzy Hash: a4ebf01f1b1661291d97dc04fda52d19682a7369e3b0a27b14d596ab95f65b68
Instruction Fuzzy Hash: 2EF02D71B4121466D704F7A5CC91FFF7778AB13354F44091FB422632D1EB786D088668

Function 004D8172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00513018,0051305C), ref: 004D81BF
CloseHandle.KERNEL32 ref: 004D81D1

Strings

\0Q, xrefs: 004D818A

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0Q
API String ID: 3712363035-1506629975
Opcode ID: 39298829c5b8a0fc278ccc73f95ce168ab7a9d112297db2e89ca192b9a615c6f
Instruction ID: 2f46f9e9cc4a55fa7a43527276f2522fb7c47d8640e7181e99b9e487f1882361
Opcode Fuzzy Hash: 39298829c5b8a0fc278ccc73f95ce168ab7a9d112297db2e89ca192b9a615c6f
Instruction Fuzzy Hash: F8F05EB1640700BAF7206761AC69FF73EDCEB18754F004426BF08D52A2D6798F4492B9

Function 004C747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004C7493
_wcslen.LIBCMT ref: 004C74B9

Strings

3, 3, 16, 1, xrefs: 004C7483

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 543f7f5fbd605bfa83c3cff0e5a95485baa07f2ea8535f11277f376d504e51e9
Instruction ID: 45e17eaf5e2bffe9cb0ae5974074b864ff73e130e5230a90b159cc22b5b3f666
Opcode Fuzzy Hash: 543f7f5fbd605bfa83c3cff0e5a95485baa07f2ea8535f11277f376d504e51e9
Instruction Fuzzy Hash: 68E02B4A74462011A3B5127B9CC1F7F5A8ADFC9760714182FF981C2366FA9C8D9193AD

Function 004A0B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 004A0B23

Strings

Error allocating memory., xrefs: 004A0B1C
AutoIt, xrefs: 004A0B17

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 5a988e78aefb8286efccf5c825332d973b6fe4e22d508b32ccd310b0279f3e09
Instruction ID: beb60d32a384848502b03807395dd6013ba68455c33db475916b32eda1e4b68d
Opcode Fuzzy Hash: 5a988e78aefb8286efccf5c825332d973b6fe4e22d508b32ccd310b0279f3e09
Instruction Fuzzy Hash: 36E0D83134430926D2143795BC43F897B848F05F15F10042FFB48555C39ADA685486EE

Function 00460D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0045F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00460D71,?,?,?,0044100A), ref: 0045F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0044100A), ref: 00460D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0044100A), ref: 00460D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00460D7F

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: ea63d9ddd9de19cb85ede8b66247d616cd774e183023d3b75d13869ea5c6fbea
Instruction ID: b4396aaf9c4384deaaf9898fd2facedd68c0a123982e56a229f96da5c52b3928
Opcode Fuzzy Hash: ea63d9ddd9de19cb85ede8b66247d616cd774e183023d3b75d13869ea5c6fbea
Instruction Fuzzy Hash: 1FE092702007018BD3309FB9E4483477BE4AF14749F008A7FE486C6755EBB8E448CB9A

Function 0045E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0045E3D5

Strings

0%Q, xrefs: 0045E3B5
8%Q, xrefs: 0045E3CA

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%Q$8%Q
API String ID: 1385522511-2527737110
Opcode ID: 9add2d6fbb9792fce667f23d7d305d5abad1d3831bc80dc2617747b3f047374f
Instruction ID: 8c4a2a4ae19e0495878f0562025d59f2ceb8b111f464fd6dc04e021678371acf
Opcode Fuzzy Hash: 9add2d6fbb9792fce667f23d7d305d5abad1d3831bc80dc2617747b3f047374f
Instruction Fuzzy Hash: 8FE02631400A10CBC708971AF9E4EC93397BB05325F1241ABEC02CF2D2EB386D89A64E

Function 004B3017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 004B302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 004B3044

Strings

aut, xrefs: 004B3038

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: b3277536a4cb5df4c3a667068b3ed478dc328f6ab5f84d2595a744fbca9442f0
Instruction ID: 13abb99cc5a8c4c081aa7898c79f42adcd3ca04a175a76869cb90a64868084a9
Opcode Fuzzy Hash: b3277536a4cb5df4c3a667068b3ed478dc328f6ab5f84d2595a744fbca9442f0
Instruction Fuzzy Hash: EED05B7190131467DA20A7949C4DFCB3B6CD704750F0002A2B655D20D1DAB09544CAD4

Function 0049D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0049D220

Strings

%.3d, xrefs: 0049D22B
X64, xrefs: 0049D2A8

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: c9ee536fc51e451d710907bd79b8d3d4af697d0c1c1a609f429ce980c0fe654a
Instruction ID: 7e60b206db3f89b3522522619b4067cad92b38d9d71239abe66f9f19c7c2704b
Opcode Fuzzy Hash: c9ee536fc51e451d710907bd79b8d3d4af697d0c1c1a609f429ce980c0fe654a
Instruction Fuzzy Hash: 47D01261C09109EACF5097D0DC498BDBB7CBB18301F5084B3FC0691081D62CD50EA76B

Function 004D2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D236C
PostMessageW.USER32(00000000), ref: 004D2373

Part of subcall function 004AE97B: Sleep.KERNEL32 ref: 004AE9F3

Strings

Shell_TrayWnd, xrefs: 004D2365

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d5eabe8c3a6d1bb7d4d779b9b342d14d425be867012a1a85325c245ad38eb643
Instruction ID: 118abc622daaf8b6b6466703975a8a8aab730f7cb9861cb04c7a6f99d4823945
Opcode Fuzzy Hash: d5eabe8c3a6d1bb7d4d779b9b342d14d425be867012a1a85325c245ad38eb643
Instruction Fuzzy Hash: B1D0C972382321BAEA64A771AC4FFCA7A58AB15B14F0049277655AA1D0C9A4A801CA58

Function 004D2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004D232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 004D233F

Part of subcall function 004AE97B: Sleep.KERNEL32 ref: 004AE9F3

Strings

Shell_TrayWnd, xrefs: 004D2325

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: fdf151f8e975d3b289e382a6ce2166b8d07e5f8aa9bfe89ca91270416045b8f8
Instruction ID: cbfc64e605fddf7b1545781ed22937103b29056cdebe4301e6b55c2b8bb51b2a
Opcode Fuzzy Hash: fdf151f8e975d3b289e382a6ce2166b8d07e5f8aa9bfe89ca91270416045b8f8
Instruction Fuzzy Hash: 7FD02272381320B7EA74B331EC4FFCB7B08AB00B00F0009277305AA0D0C9F0A800CA08

Function 0047BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0047BE93
GetLastError.KERNEL32 ref: 0047BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0047BEFC

Memory Dump Source

Source File: 00000000.00000002.1329620730.0000000000441000.00000020.00000001.01000000.00000003.sdmp, Offset: 00440000, based on PE: true

Associated: 00000000.00000002.1329580617.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.00000000004DC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329726905.0000000000502000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329922822.000000000050C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1329954637.0000000000514000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_440000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 0485c0fed95156766e203775d21f581f7f78ca9f101a8892b8c46fb6a7bb3245
Instruction ID: a060bf7ae58d43eb116cd07179123c307ca63948accc4a1297d94b76ad0f830d
Opcode Fuzzy Hash: 0485c0fed95156766e203775d21f581f7f78ca9f101a8892b8c46fb6a7bb3245
Instruction Fuzzy Hash: 4D41C134601216ABCB218F65CC54BEB7BA4EF41B20F14C16BF95DA73A1EB348C01CB99

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166
Source: Joe Sandbox View	IP Address: 151.101.193.91 151.101.193.91
Source: Joe Sandbox View	IP Address: 34.160.144.191 34.160.144.191

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 00000013.00000003.1356337381.0000019292D43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1469743721.00000192907D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1397320121.00000192907D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1478940378.0000019293124000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1468490223.000001929311B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1474960591.000001929311B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1397645559.00000192900CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469743721.00000192907D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475002591.0000019292BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1473468178.000001928F49A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1333573204.000001928F499000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1469743721.00000192907D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475002591.0000019292BE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1396532977.0000019292BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1469743721.00000192907D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1397320121.00000192907D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1478940378.0000019293124000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1468490223.000001929311B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1474960591.000001929311B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1397645559.00000192900CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1469743721.00000192907D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475002591.0000019292BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1469743721.00000192907D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475002591.0000019292BE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1396532977.0000019292BE5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2515423140.0000027F08303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516739401.000002227800C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2515423140.0000027F08303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516739401.000002227800C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2515423140.0000027F08303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2516739401.000002227800C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.2516739401.000002227800C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.2516739401.000002227800C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.2516739401.000002227800C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/nj` equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1396532977.0000019292BD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1475002591.0000019292BD3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000003.1469743721.00000192907D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1397320121.00000192907D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000003.1397645559.00000192900CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1478940378.0000019293124000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000003.1468490223.000001929311B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49809 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.193.91:443 -> 192.168.2.7:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.7:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49814 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49886 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49882 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49884 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49881 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49885 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49891 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.7:49892 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ad08eff1-d069-4d3e-ad86-61be7f6cb8c0.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_ad08eff1-d069-4d3e-ad86-61be7f6cb8c0.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\crashes\store.json.mozlz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\extensions.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\favicons.sqlite-shm

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre