Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1574263
MD5:	2fc0741f6f4a989e9b55081f90df178a
SHA1:	f565869e959f86c4b35f1f1e929a26a0428e8e9d
SHA256:	1f1f5ef3819b45c11862020855fd81065af664fee5fef3ade41e137919b825a6
Tags:	exeuser-Bitsight
Infos:

Detection

Credential Flusher

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Credential Flusher

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Machine Learning detection for sample

Connects to many different domains

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Classification

Process Tree

System is w10x64

file.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2FC0741F6F4A989E9B55081F90DF178A)

taskkill.exe (PID: 7936 cmdline: taskkill /F /IM firefox.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8032 cmdline: taskkill /F /IM chrome.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8096 cmdline: taskkill /F /IM msedge.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 8160 cmdline: taskkill /F /IM opera.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 8168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 7224 cmdline: taskkill /F /IM brave.exe /T MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 7272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

firefox.exe (PID: 7444 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7540 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 7588 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 5284 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25393 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6fc0976-fc69-4595-b16c-ab50f7aacfc8} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c53856ad10 socket MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 4476 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4020 -parentBuildID 20230927232528 -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26343 -prefMapSize 238472 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e915a1-b7c5-49c2-a37f-d429fc5789c3} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c54a67a210 rdd MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

firefox.exe (PID: 8028 cmdline: "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1536 -prefMapHandle 5208 -prefsLen 33559 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07e6227e-e550-4669-9884-2f57c3500979} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c54ad81710 utility MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 7876	JoeSecurity_CredentialFlusher	Yara detected Credential Flusher	Joe Security

Code function: 0_2_0086EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0086EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0086ED6A

Source: C:\Users\user\Desktop\file.exe

0_2_0086EAFF

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0085AA57

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00889576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00889576

System Summary

Binary is likely a compiled AutoIt script file

Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: file.exe, 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e3dfc23e-f
Source: file.exe, 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_71f20ebd-b
Source: file.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_54798d3c-a
Source: file.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_a7bb4a89-8

Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002958D3E9BF7 NtQuerySystemInformation,		18_2_000002958D3E9BF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002958D3E21F2 NtQuerySystemInformation,		18_2_000002958D3E21F2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0085D5EB

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00851201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00851201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0085E8F6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F8060	0_2_007F8060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00862046	0_2_00862046
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00858298	0_2_00858298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082E4FF	0_2_0082E4FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082676B	0_2_0082676B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00884873	0_2_00884873
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081CAA0	0_2_0081CAA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007FCAF0	0_2_007FCAF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080CC39	0_2_0080CC39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00826DD9	0_2_00826DD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080B119	0_2_0080B119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F91C0	0_2_007F91C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00811394	0_2_00811394
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00811706	0_2_00811706
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081781B	0_2_0081781B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008119B0	0_2_008119B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007F7920	0_2_007F7920
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080997D	0_2_0080997D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00817A4A	0_2_00817A4A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00817CA7	0_2_00817CA7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00811C77	0_2_00811C77
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00829EEE	0_2_00829EEE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0087BE44	0_2_0087BE44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00811F32	0_2_00811F32
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002958D3E9BF7	18_2_000002958D3E9BF7
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002958D3E21F2	18_2_000002958D3E21F2
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002958D3E2232	18_2_000002958D3E2232
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Code function: 18_2_000002958D3E291C	18_2_000002958D3E291C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00810A30 appears 46 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0080F9F2 appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 007F9CB3 appears 31 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal80.troj.evad.winEXE@34/38@70/12

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008637B5 GetLastError,FormatMessageW,

0_2_008637B5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008510BF AdjustTokenPrivileges,CloseHandle,		0_2_008510BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008516C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_008516C3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008651CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_008651CD

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085D4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0085D4DC

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0086648E

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007F42A2

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Mozilla\Firefox\SkeletonUILock-c388d246

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File created: C:\Users\user\AppData\Local\Temp\firefox

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: firefox.exe, 0000000E.00000003.1569930767.000002C54AC4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 0000000E.00000003.1569930767.000002C54AC4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE events (id INTEGER PRIMARY KEY, type INTEGER NOT NULL, count INTEGER NOT NULL, timestamp DATE );
Source: firefox.exe, 0000000E.00000003.1569930767.000002C54AC4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO events (type, count, timestamp) VALUES (:type, 1, date(:date));
Source: firefox.exe, 0000000E.00000003.1569930767.000002C54AC4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;
Source: firefox.exe, 0000000E.00000003.1521541462.000002C54C133000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 0000000E.00000003.1569930767.000002C54AC4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;;Fy6
Source: firefox.exe, 0000000E.00000003.1569930767.000002C54AC4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;-
Source: firefox.exe, 0000000E.00000003.1569930767.000002C54AC4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9'
Source: firefox.exe, 0000000E.00000003.1569930767.000002C54AC4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT sum(count) FROM events;9
Source: firefox.exe, 0000000E.00000003.1569930767.000002C54AC4F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SELECT * FROM events WHERE type = :type AND timestamp = date(:date);

Source: file.exe	Virustotal: Detection: 29%
Source: file.exe	ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25393 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6fc0976-fc69-4595-b16c-ab50f7aacfc8} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c53856ad10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4020 -parentBuildID 20230927232528 -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26343 -prefMapSize 238472 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e915a1-b7c5-49c2-a37f-d429fc5789c3} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c54a67a210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1536 -prefMapHandle 5208 -prefsLen 33559 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07e6227e-e550-4669-9884-2f57c3500979} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c54ad81710 utility
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25393 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6fc0976-fc69-4595-b16c-ab50f7aacfc8} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c53856ad10 socket	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4020 -parentBuildID 20230927232528 -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26343 -prefMapSize 238472 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e915a1-b7c5-49c2-a37f-d429fc5789c3} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c54a67a210 rdd	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1536 -prefMapHandle 5208 -prefsLen 33559 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07e6227e-e550-4669-9884-2f57c3500979} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c54ad81710 utility	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdbV source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: xWindows.Security.Integrity.pdb source: firefox.exe, 0000000E.00000003.1547761329.000002C54ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1548153511.000002C54A9C5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdbUGP source: firefox.exe, 0000000E.00000003.1557960698.000002C547D30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NapiNSP.pdb source: firefox.exe, 0000000E.00000003.1557960698.000002C547D30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: xWindows.StateRepositoryPS.pdb source: firefox.exe, 0000000E.00000003.1548241558.000002C54A999000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 0000000E.00000003.1554287286.000002C54AD39000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: netprofm.pdb source: firefox.exe, 0000000E.00000003.1549079022.000002C554901000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: z:\task_1551543573\build\openh264\gmpopenh264.pdb source: gmpopenh264.dll.tmp.14.dr
Source:	Binary string: netprofm.pdbUGP source: firefox.exe, 0000000E.00000003.1549079022.000002C554901000.00000004.00000020.00020000.00000000.sdmp

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007F42DE

Source: gmpopenh264.dll.tmp.14.dr

Static PE information: section name: .rodata

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00810A76 push ecx; ret

0_2_00810A89

Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp			Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0080F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_0080F98E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00881C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00881C41

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\file.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97448

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000002958D3E9BF7 rdtsc

18_2_000002958D3E9BF7

Source: C:\Users\user\Desktop\file.exe

API coverage: 3.8 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0085DBBE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0082C2A2 FindFirstFileExW,	0_2_0082C2A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008668EE FindFirstFileW,FindClose,	0_2_008668EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0086698F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0085D076
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0085D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0085D3A9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00869642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00869642
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0086979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0086979D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00869B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00869B2B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00865C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00865C97

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007F42DE

Source: firefox.exe, 00000010.00000002.3195058069.000001ACD5100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
Source: firefox.exe, 00000012.00000002.3193901915.000002958D2E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu>
Source: firefox.exe, 00000010.00000002.3195058069.000001ACD5100000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
Source: file.exe, 00000000.00000002.1427235425.00000000014B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1420862295.0000000001493000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1423175704.00000000014AD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1421161688.000000000149B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1421440211.00000000014A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3195058069.000001ACD5100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3190023505.000001ACD4BBA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3193901915.000002958D2E0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3189834472.000002958CA7A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3194603451.000001F618800000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3189614648.000001F61833A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3194357693.000001ACD501F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 00000012.00000002.3193901915.000002958D2E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF8@
Source: firefox.exe, 00000010.00000002.3195058069.000001ACD5100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3193901915.000002958D2E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files\Mozilla Firefox\firefox.exe

Code function: 18_2_000002958D3E9BF7 rdtsc

18_2_000002958D3E9BF7

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0086EAA2 BlockInput,

0_2_0086EAA2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00822622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00822622

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007F42DE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00814CE8 mov eax, dword ptr fs:[00000030h]

0_2_00814CE8

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00850B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00850B62

Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00822622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00822622
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0081083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0081083F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008109D5 SetUnhandledExceptionFilter,	0_2_008109D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00810C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00810C21

Source: C:\Users\user\Desktop\file.exe

0_2_00851201

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00832BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00832BA5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0085B226 SendInput,keybd_event,

0_2_0085B226

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008722DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_008722DA

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00850B62

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00851663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00851663

Source: file.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00810698 cpuid

0_2_00810698

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084D21C GetLocalTime,

0_2_0084D21C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0084D27A GetUserNameW,

0_2_0084D27A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0082B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0082B952

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007F42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007F42DE

Stealing of Sensitive Information

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7876, type: MEMORYSTR

Source: file.exe	Binary or memory string: WIN_81
Source: file.exe	Binary or memory string: WIN_XP
Source: file.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: file.exe	Binary or memory string: WIN_XPe
Source: file.exe	Binary or memory string: WIN_VISTA
Source: file.exe	Binary or memory string: WIN_7
Source: file.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected Credential Flusher

Source: Yara match

File source: Process Memory Space: file.exe PID: 7876, type: MEMORYSTR

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00871204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00871204
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00871806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00871806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	2 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	1 DLL Side-Loading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Extra Window Memory Injection	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Process Injection	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	29%	Virustotal		Browse
file.exe	32%	ReversingLabs	Win32.Ransomware.Generic
file.exe	100%	Avira	TR/ATRAPS.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	0%	Virustotal	Browse
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Avira URL Cloud	safe
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
example.org	93.184.215.14	true	false	high
star-mini.c10r.facebook.com	157.240.196.35	true	false	high
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true	false	high
prod.balrog.prod.cloudops.mozgcp.net	35.244.181.201	true	false	high
twitter.com	104.244.42.65	true	false	high
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82	true	false	high
services.addons.mozilla.org	151.101.129.91	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
dyna.wikimedia.org	185.15.58.224	true	false	high
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	true	false	high
contile.services.mozilla.com	34.117.188.166	true	false	high
youtube.com	142.250.181.110	true	false	high
prod.content-signature-chains.prod.webservices.mozgcp.net	34.160.144.191	true	false	high
youtube-ui.l.google.com	142.250.181.110	true	false	high
us-west1.prod.sumo.prod.webservices.mozgcp.net	34.149.128.2	true	false	high
reddit.map.fastly.net	151.101.129.140	true	false	high
ipv4only.arpa	192.0.0.171	true	false	high
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	true	false	high
push.services.mozilla.com	34.107.243.93	true	false	high
normandy-cdn.services.mozilla.com	35.201.103.21	true	false	high
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	true	false	high
www.reddit.com	unknown	unknown	false	high
spocs.getpocket.com	unknown	unknown	false	high
content-signature-2.cdn.mozilla.net	unknown	unknown	false	high
support.mozilla.org	unknown	unknown	false	high
firefox.settings.services.mozilla.com	unknown	unknown	false	high
www.youtube.com	unknown	unknown	false	high
www.facebook.com	unknown	unknown	false	high
detectportal.firefox.com	unknown	unknown	false	high
normandy.cdn.mozilla.net	unknown	unknown	false	high
shavar.services.mozilla.com	unknown	unknown	false	high
www.wikipedia.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l	firefox.exe, 0000000E.00000003.1485034952.000002C54C015000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545530650.000002C54C015000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1522048513.000002C54C015000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3190729646.000002958CDC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3191456316.000001F6187C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://detectportal.firefox.com/	firefox.exe, 0000000E.00000003.1476978965.000002C55299F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://datastudio.google.com/embed/reporting/	firefox.exe, 0000000E.00000003.1474472853.000002C554686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1550458023.000002C553EED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1451391317.000002C548A94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1455736004.000002C548A96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1580282531.000002C553EED000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.mozilla.com0	gmpopenh264.dll.tmp.14.dr	false		high
https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl	firefox.exe, 0000000E.00000003.1419146294.000002C550921000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1418363000.000002C550923000.00000004.00000800.00020000.00000000.sdmp	false		high
https://merino.services.mozilla.com/api/v1/suggest	firefox.exe, 00000012.00000002.3190729646.000002958CD86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3191456316.000001F618787000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2019-09/schema.	firefox.exe, 0000000E.00000003.1582748039.000002C549772000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.leboncoin.fr/	firefox.exe, 0000000E.00000003.1487692508.000002C54AD3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568881694.000002C54AD4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578503041.000002C54AD57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562670204.000002C54AD39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554287286.000002C54AD39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/spocs	firefox.exe, 0000000E.00000003.1477953422.000002C550781000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com	firefox.exe, 0000000E.00000003.1572488781.000002C549D29000.00000004.00000800.00020000.00000000.sdmp	false		high
https://completion.amazon.com/search/complete?q=	firefox.exe, 0000000E.00000003.1391333582.000002C54804D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390782793.000002C54801B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1391562522.000002C54807C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1391457572.000002C548067000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390393356.000002C547E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390927583.000002C548034000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://ads.stickyadstv.com/firefox-etp	firefox.exe, 0000000E.00000003.1521386947.000002C54C1FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1423862623.000002C549683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1566895670.000002C54C1FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1484336043.000002C54C1FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543576017.000002C54C1FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1576504059.000002C54C1FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1580471273.000002C54C1FB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/ids/ecosystem_telemetryU	firefox.exe, 0000000E.00000003.1569975102.000002C54AC2E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.20h	firefox.exe, 0000000E.00000003.1439463981.000002C549EA3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/breach-details/	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://github.com/w3c/csswg-drafts/issues/4650	firefox.exe, 0000000E.00000003.1522048513.000002C54C061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545530650.000002C54C061000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/exec/obidos/external-search/	firefox.exe, 0000000E.00000003.1487692508.000002C54AD5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1391333582.000002C54804D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390782793.000002C54801B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1541980007.000002C5507C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1391562522.000002C54807C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1391457572.000002C548067000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1492173188.000002C550B26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390393356.000002C547E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551657016.000002C5507C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390927583.000002C548034000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.msn.com	firefox.exe, 0000000E.00000003.1546127703.000002C54BDA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1485285435.000002C54BDA8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mozilla-services/screenshots	firefox.exe, 0000000E.00000003.1391333582.000002C54804D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390782793.000002C54801B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1391457572.000002C548067000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390393356.000002C547E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390927583.000002C548034000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/addon/	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://tracking-protection-issues.herokuapp.com/new	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://youtube.com/	firefox.exe, 0000000E.00000003.1483187444.000002C55053D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://content-signature-2.cdn.mozilla.net/	firefox.exe, 0000000E.00000003.1485436335.000002C54BD49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://json-schema.org/draft/2020-12/schema/=	firefox.exe, 0000000E.00000003.1582748039.000002C549772000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht	firefox.exe, 0000000E.00000003.1519258989.000002C554694000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://api.accounts.firefox.com/v1	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/	firefox.exe, 0000000E.00000003.1541980007.000002C550781000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc	firefox.exe, 0000000E.00000003.1583244179.000002C5496A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.youtube.com/	firefox.exe, 00000013.00000002.3191456316.000001F61870C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1283601	firefox.exe, 0000000E.00000003.1451391317.000002C548A94000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://MD8.mozilla.org/1/m	firefox.exe, 0000000E.00000003.1581595226.000002C5497CF000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bbc.co.uk/	firefox.exe, 0000000E.00000003.1487692508.000002C54AD3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568881694.000002C54AD4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578503041.000002C54AD57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562670204.000002C54AD39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554287286.000002C54AD39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/to-google-translate/	firefox.exe, 0000000E.00000003.1474472853.000002C554694000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573217103.000002C5546BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1550369713.000002C5546AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540084681.000002C554697000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1519258989.000002C554694000.00000004.00000800.00020000.00000000.sdmp	false		high
https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=	firefox.exe, 0000000E.00000003.1543576017.000002C54C17B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3190729646.000002958CDC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3191456316.000001F6187C8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:	firefox.exe, 0000000E.00000003.1577517937.000002C54AD7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1487105677.000002C54AD7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568881694.000002C54AD7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554287286.000002C54AD7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562670204.000002C54AD7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1266220	firefox.exe, 0000000E.00000003.1451568317.000002C548A81000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mo	firefox.exe, 0000000E.00000003.1547682856.000002C54ACF7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mitmdetection.services.mozilla.com/	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://amazon.com	firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://static.adsafeprotected.com/firefox-etp-js	firefox.exe, 0000000E.00000003.1477953422.000002C5507C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1541980007.000002C5507C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1551657016.000002C5507C5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://youtube.com/account?=	recovery.jsonlz4.tmp.14.dr	false		high
https://shavar.services.mozilla.com/	firefox.exe, 0000000E.00000003.1555769629.000002C549EA3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg	firefox.exe, 00000010.00000002.3191533883.000001ACD4FB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3190729646.000002958CDE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3194793670.000001F618903000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.14.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture	firefox.exe, 0000000E.00000003.1548241558.000002C54A928000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1488084857.000002C54A928000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1570284186.000002C54A929000.00000004.00000800.00020000.00000000.sdmp	false		high
https://spocs.getpocket.com/	firefox.exe, 0000000E.00000003.1557201192.000002C549D3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1483187444.000002C55053D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.3190729646.000002958CD12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3191456316.000001F618713000.00000004.00000800.00020000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/abuse/report/addon/	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.iqiyi.com/	firefox.exe, 0000000E.00000003.1487692508.000002C54AD3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568881694.000002C54AD4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578503041.000002C54AD57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562670204.000002C54AD39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554287286.000002C54AD39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.	places.sqlite-wal.14.dr	false		high
https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/breach-stats?includeResolved=true	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.com/Z	firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://addons.mozilla.org/	firefox.exe, 0000000E.00000003.1475154652.000002C554375000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1584464	firefox.exe, 0000000E.00000003.1522048513.000002C54C061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545530650.000002C54C061000.00000004.00000800.00020000.00000000.sdmp	false		high
https://safebrowsing.google.com/safebrowsing/diagnostic?site=	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/user/dashboard	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1170143	firefox.exe, 0000000E.00000003.1451391317.000002C548A94000.00000004.00000800.00020000.00000000.sdmp	false		high
https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://monitor.firefox.com/about	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
http://mozilla.org/MPL/2.0/.	firefox.exe, 0000000E.00000003.1531905903.000002C549FBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1513506691.000002C5493C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1496562302.000002C5484E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1484808339.000002C54C0AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1442187951.000002C54ABCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1501082565.000002C54BED6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1550458023.000002C553EBB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1399270155.000002C5484D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1502623232.000002C55099C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1537711067.000002C54933F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1396229682.000002C5493CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1398096651.000002C5493E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1549653996.000002C5493E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1484600277.000002C54C0E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1492173188.000002C550B75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1550523131.000002C5493E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1523010506.000002C5494B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1527672020.000002C545B74000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553173474.000002C54AF51000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1448299050.000002C5493C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1495158691.000002C550C92000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.bellmedia.c	firefox.exe, 0000000E.00000003.1546420475.000002C54BD8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1567752183.000002C54BD8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1485436335.000002C54BD8A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.microsoftonline.com	firefox.exe, 0000000E.00000003.1546420475.000002C54BD98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://coverage.mozilla.org	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	gmpopenh264.dll.tmp.14.dr	false		high
http://x1.c.lencr.org/0	firefox.exe, 0000000E.00000003.1571466670.000002C549E43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556089205.000002C549E43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1521541462.000002C54C139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421340707.000002C54C14F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	firefox.exe, 0000000E.00000003.1571466670.000002C549E43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556089205.000002C549E43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1521541462.000002C54C139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1421340707.000002C54C14F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://infra.spec.whatwg.org/#ascii-whitespace	firefox.exe, 0000000E.00000003.1419146294.000002C550921000.00000004.00000800.00020000.00000000.sdmp	false		high
https://blocked.cdn.mozilla.net/	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored	firefox.exe, 0000000E.00000003.1583244179.000002C5496A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://developer.mozilla.org/en/docs/DOM:element.addEventListener	firefox.exe, 0000000E.00000003.1583244179.000002C5496A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://profiler.firefox.com	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://outlook.live.com/default.aspx?rru=compose&to=%s	firefox.exe, 0000000E.00000003.1393391895.000002C545B19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1393635422.000002C545B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1392822436.000002C545B33000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=793869	firefox.exe, 0000000E.00000003.1451531658.000002C548A87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://identity.mozilla.com/apps/relay	firefox.exe, 0000000E.00000003.1571466670.000002C549E43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556089205.000002C549E43000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mozilla.cloudflare-dns.com/dns-query	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2	firefox.exe, 0000000E.00000003.1486405875.000002C54AF9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1553173474.000002C54AF9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1546973951.000002C54AF9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562018993.000002C54AF9A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1577475954.000002C54AFA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568096340.000002C54AF9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bugzilla.mozilla.org/show_bug.cgi?id=1678448	firefox.exe, 0000000E.00000003.1451391317.000002C548A94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1455807573.000002C548A87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://mail.yahoo.co.jp/compose/?To=%s	firefox.exe, 0000000E.00000003.1393391895.000002C545B19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1393635422.000002C545B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1392822436.000002C545B33000.00000004.00000800.00020000.00000000.sdmp	false		high
https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/	firefox.exe, 0000000E.00000003.1474472853.000002C554694000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573217103.000002C5546BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1550369713.000002C5546AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1540084681.000002C554697000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1519258989.000002C554694000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile.services.mozilla.com/v1/tiles	firefox.exe, 0000000E.00000003.1580597555.000002C54C1CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://www.amazon.co.uk/	firefox.exe, 0000000E.00000003.1487692508.000002C54AD3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1568881694.000002C54AD4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1578503041.000002C54AD57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1562670204.000002C54AD39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1554287286.000002C54AD39000.00000004.00000800.00020000.00000000.sdmp	false		high
https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/	firefox.exe, 0000000E.00000003.1519258989.000002C554694000.00000004.00000800.00020000.00000000.sdmp	false		high
https://monitor.firefox.com/user/preferences	firefox.exe, 00000010.00000002.3191137342.000001ACD4CC0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3192752661.000002958CE00000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000013.00000002.3190992506.000001F618640000.00000002.10000000.00040000.00000000.sdmp	false		high
https://screenshots.firefox.com/	firefox.exe, 0000000E.00000003.1475154652.000002C554375000.00000004.00000800.00020000.00000000.sdmp	false		high
https://truecolors.firefox.com/	firefox.exe, 0000000E.00000003.1475154652.000002C554375000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/search	firefox.exe, 0000000E.00000003.1555718084.000002C549EAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1391333582.000002C54804D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390782793.000002C54801B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571337388.000002C549E6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1391562522.000002C54807C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1391457572.000002C548067000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1492173188.000002C550B26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390393356.000002C547E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1556089205.000002C549E6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1571290856.000002C549EAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1390927583.000002C548034000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gpuweb.github.io/gpuweb/	firefox.exe, 0000000E.00000003.1522048513.000002C54C061000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1545530650.000002C54C061000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.149.100.209	prod.remote-settings.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
151.101.129.91	services.addons.mozilla.org	United States	54113	FASTLYUS	false
34.107.243.93	push.services.mozilla.com	United States	15169	GOOGLEUS	false
142.250.181.110	youtube.com	United States	15169	GOOGLEUS	false
34.107.221.82	prod.detectportal.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
35.244.181.201	prod.balrog.prod.cloudops.mozgcp.net	United States	15169	GOOGLEUS	false
34.117.188.166	contile.services.mozilla.com	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
35.201.103.21	normandy-cdn.services.mozilla.com	United States	15169	GOOGLEUS	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false
34.160.144.191	prod.content-signature-chains.prod.webservices.mozgcp.net	United States	2686	ATGS-MMD-ASUS	false
34.120.208.123	telemetry-incoming.r53-2.services.mozilla.com	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1574263
Start date and time:	2024-12-13 07:55:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@34/38@70/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 49 Number of non-executed functions: 293
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 54.213.181.160, 35.85.93.176, 44.228.225.150, 142.250.181.74, 172.217.17.46, 88.221.134.209, 88.221.134.155, 13.107.246.63, 23.218.208.109, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, shavar.prod.mozaws.net, ciscobinary.openh264.org, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, incoming.telemetry.mozilla.org, ctldl.windowsupdate.com, a17.rackcdn.com.mdc.edgesuite.net, detectportal.prod.mozaws.net, aus5.mozilla.org, fe3cr.delivery.mp.microsoft.com, a19.dscg10.akamai.net, redirector.gvt1.com, azureedge-t-prod.trafficmanager.net, safebrowsing.googleapis.com, location.services.mozilla.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
34.117.188.166	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
34.149.100.209	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
151.101.129.91	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
example.org	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
	file.exe	Get hash	malicious	Credential Flusher	Browse	93.184.215.14
star-mini.c10r.facebook.com	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	157.240.195.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	157.240.196.35
twitter.com	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.1
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65
	file.exe	Get hash	malicious	Credential Flusher	Browse	104.244.42.65

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.121.53
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
FASTLYUS	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	greatattitudewithnicefeatruewithgreatnicecreamypurplethingsgood.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	goodthhingswithgreatcapitalthingsforgreatnewswithgoodmorng.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	151.101.1.137
	creamkissingthingswithcreambananapackagecreamy.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	151.101.1.137
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	file.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	http://18.224.21.137/FFmnpShhHMMWeIqsVa2rJ69xinQlZ-7450	Get hash	malicious	Unknown	Browse	151.101.194.137
ATGS-MMD-ASUS	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	sparc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	34.0.41.226
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	51.92.80.67
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	48.252.209.208
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fb0aa01abe9d8e4037eb3473ca6e2dca	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Credential Flusher	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	35.244.181.201 34.149.100.209 34.160.144.191 151.101.129.91 34.120.208.123

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)	Pl8Tb06C8A.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse
	file.exe	Get hash	malicious	Credential Flusher	Browse

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_011744ec-992f-442b-98a4-a3cd771e5be8.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.182086930743402
Encrypted:	false
SSDEEP:	192:wLKMXsuBcbhbVbTbfbRbObtbyEl7n0rgxJA6unSrDtTkdBSlNJ:wLPhcNhnzFSJUrt1nSrDhkdBuv
MD5:	681FB9DFA983326AAB0AB6ECC6F1548E
SHA1:	EC55F221B3D950142B7E3850EBD0CF90687E2221
SHA-256:	0D6C8BEB55368969EDBA1EC553A502A0809BFE2F4D175168EFA02ADEFE5DC992
SHA-512:	EA9CFD00F1F278AD867ACC999CF3E4B4493693961018741A15B3CF27056DECB5FBF13474FFC8A3C2634B3966BA08CE769D9F9180249381307F4F8ACD45DC6F3E
Malicious:	false
Preview:	{"type":"uninstall","id":"011744ec-992f-442b-98a4-a3cd771e5be8","creationDate":"2024-12-13T08:39:54.397Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"73d066a5-c100-48bf-b029-480dc6f75d78","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_011744ec-992f-442b-98a4-a3cd771e5be8.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	8056
Entropy (8bit):	5.182086930743402
Encrypted:	false
SSDEEP:	192:wLKMXsuBcbhbVbTbfbRbObtbyEl7n0rgxJA6unSrDtTkdBSlNJ:wLPhcNhnzFSJUrt1nSrDhkdBuv
MD5:	681FB9DFA983326AAB0AB6ECC6F1548E
SHA1:	EC55F221B3D950142B7E3850EBD0CF90687E2221
SHA-256:	0D6C8BEB55368969EDBA1EC553A502A0809BFE2F4D175168EFA02ADEFE5DC992
SHA-512:	EA9CFD00F1F278AD867ACC999CF3E4B4493693961018741A15B3CF27056DECB5FBF13474FFC8A3C2634B3966BA08CE769D9F9180249381307F4F8ACD45DC6F3E
Malicious:	false
Preview:	{"type":"uninstall","id":"011744ec-992f-442b-98a4-a3cd771e5be8","creationDate":"2024-12-13T08:39:54.397Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":"Firefox","version":"118.0.1","displayVersion":"118.0.1","vendor":"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"73d066a5-c100-48bf-b029-480dc6f75d78","environment":{"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232528","version":"118.0.1","vendor":"Mozilla","displayVersion":"118.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":8191,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":4,"cores":2,"vendor":"GenuineIntel","name":"I

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.4593089050301797
Encrypted:	false
SSDEEP:	48:9SP0nUgwyZXYI65yFRX2D3GNTTfyn0Mk1iA:9SDKaIjo3UzyE1L
MD5:	D910AD167F0217587501FDCDB33CC544
SHA1:	2F57441CEFDC781011B53C1C5D29AC54835AFC1D
SHA-256:	E3699D9404A3FFC1AFF0CA8A3972DC0EF38BDAB927741E9F627C7C55CEA42E81
SHA-512:	F1871BF28FF25EE52BDB99C7A80AB715C7CAC164DCD2FD87E681168EE927FD2C5E80E03C91BB638D955A4627213BF575FF4D9EECAEDA7718C128CF2CE8F7CB3D
Malicious:	false
Preview:	... ftypisom....isomiso2avc1mp41....free....mdat..........E...H..,. .#..x264 - core 152 r2851 ba24899 - H.264/MPEG-4 AVC codec - Copyleft 2003-2017 - http://www.videolan.org/x264.html - options: cabac=1 ref=3 deblock=1:0:0 analyse=0x3:0x113 me=hex subme=7 psy=1 psy_rd=1.00:0.00 mixed_ref=1 me_range=16 chroma_me=1 trellis=1 8x8dct=1 cqm=0 deadzone=21,11 fast_pskip=1 chroma_qp_offset=-2 threads=4 lookahead_threads=1 sliced_threads=0 nr=0 decimate=1 interlaced=0 bluray_compat=0 constrained_intra=0 bframes=3 b_pyramid=2 b_adapt=1 b_bias=0 direct=1 weightb=1 open_gop=0 weightp=2 keyint=250 keyint_min=25 scenecut=40 intra_refresh=0 rc_lookahead=40 rc=crf mbtree=1 crf=23.0 qcomp=0.60 qpmin=0 qpmax=69 qpstep=4 ip_ratio=1.40 aq=1:1.00......e...+...s\|.kG3...'.u.."...,J.w.~.d\..(K....!.+..;....h....(.T.*...M......0..~L..8..B..A.y..R..,.zBP.';j.@.].w..........c......C=.'f....gI.$^.......m5V.L...{U..%V[....8......B..i..^,....:...,..5.m.%dA....moov...lmvhd...................(...........

C:\Users\user\AppData\Local\Temp\tmpaddon

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	453023
Entropy (8bit):	7.997718157581587
Encrypted:	true
SSDEEP:	12288:tESTeqTI2r4ZbCgUKWKNeRcPMb6qlV7hVZe3:tEsed2Xh9/bdzZe3
MD5:	85430BAED3398695717B0263807CF97C
SHA1:	FFFBEE923CEA216F50FCE5D54219A188A5100F41
SHA-256:	A9F4281F82B3579581C389E8583DC9F477C7FD0E20C9DFC91A2E611E21E3407E
SHA-512:	06511F1F6C6D44D076B3C593528C26A602348D9C41689DBF5FF716B671C3CA5756B12CB2E5869F836DEDCE27B1A5CFE79B93C707FD01F8E84B620923BB61B5F1
Malicious:	false
Preview:	PK.........bN...R..........gmpopenh264.dll..\|.E.0.=..I.....1....4f1q.`.........q.....'+....hm{.z..o_.{w........$..($A!...\|L...B&A2.s.{..Dd......c.U.U..9u.S...K.l`...../.d.-....\|.....&....9......wn..x......i.#O.+.Y.l......+....,3.3f..\..c.SSS,............N...GG...F.'.&.:'.K.Z&.>.@.g..M...M.`............ZR....^jg.G.Kb.o~va.....<Z..1.#.O.e.....D..X..i..$imBW..Q&.......P.....,M.,..:.c...-...\...........-i.K.I..4.a..6.....Ov=...W..F.CH.>...a.'.x...#@f...d..u.1....OV.1o}....g.5.._.3.J.Hi.Z.ipM....b.Z....%.G..F................/..3.q..J.....o...%.g.N..}..).3.N%.!..q........^I.m..~...6.#.~+.....A...I]r...x...<IYj....p0..`S.M@.E..f.=.;!.@.....E..E....... .0.n....Jd..d......uM.-.qI.lR..z..=}..r.D.XLZ....x.$..\|c.1.cUkM.&.Qn]..a]t.h...!.6 7..Jd.DvKJ"Wgd*%n...w...Jni.inmr.@M.$'Z.s....#)%..Rs..:.h....R....\..t.6..'.g.........Uj+F.cr:\|..!..K.W.Y...17......,....r.....>.N..3.R.Y.._\...Ir.DNJdM... .k...&V-....z.%...-...D..i..&...6....7.2T).>..0..%.&.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0CK3ZX5QEJI8AM4NZCUM.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	modified
Size (bytes):	5488
Entropy (8bit):	3.312180231855959
Encrypted:	false
SSDEEP:	24:YdfUEAHTIUx2dWoM155LN8zmZdfUEAHswM+bpoqdWoM155LFX1RgmXdfUEAH6lV8:YdiMUgdwyz6dig6Bdw+QdiAadwM1
MD5:	D9C2E04442BFDAFD68A88F3C8B9B1F2E
SHA1:	B55FCAF7D20C1CF22BC6C5309CD619A185288EF6
SHA-256:	0669B47AC526B9C6D3F1182AC1EEA0C30D31FD37B59432D7A7D20E5168B5B74F
SHA-512:	14870E9F92704A58362402120C6BF6A08032D142DDBD915B9ED207FFDEB09D4D553EFCD830F3A20C9E588735529D745124E9304198D364930247E9D3132BACB8
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........N2,M..........S...........................P.O. .:i.....+00.../C:\.....................1.....EWXX..PROGRA~1..t......O.I.Y.7....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.7............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.7..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............[.......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312180231855959
Encrypted:	false
SSDEEP:	24:YdfUEAHTIUx2dWoM155LN8zmZdfUEAHswM+bpoqdWoM155LFX1RgmXdfUEAH6lV8:YdiMUgdwyz6dig6Bdw+QdiAadwM1
MD5:	D9C2E04442BFDAFD68A88F3C8B9B1F2E
SHA1:	B55FCAF7D20C1CF22BC6C5309CD619A185288EF6
SHA-256:	0669B47AC526B9C6D3F1182AC1EEA0C30D31FD37B59432D7A7D20E5168B5B74F
SHA-512:	14870E9F92704A58362402120C6BF6A08032D142DDBD915B9ED207FFDEB09D4D553EFCD830F3A20C9E588735529D745124E9304198D364930247E9D3132BACB8
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........N2,M..........S...........................P.O. .:i.....+00.../C:\.....................1.....EWXX..PROGRA~1..t......O.I.Y.7....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.7............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.7..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............[.......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312180231855959
Encrypted:	false
SSDEEP:	24:YdfUEAHTIUx2dWoM155LN8zmZdfUEAHswM+bpoqdWoM155LFX1RgmXdfUEAH6lV8:YdiMUgdwyz6dig6Bdw+QdiAadwM1
MD5:	D9C2E04442BFDAFD68A88F3C8B9B1F2E
SHA1:	B55FCAF7D20C1CF22BC6C5309CD619A185288EF6
SHA-256:	0669B47AC526B9C6D3F1182AC1EEA0C30D31FD37B59432D7A7D20E5168B5B74F
SHA-512:	14870E9F92704A58362402120C6BF6A08032D142DDBD915B9ED207FFDEB09D4D553EFCD830F3A20C9E588735529D745124E9304198D364930247E9D3132BACB8
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........N2,M..........S...........................P.O. .:i.....+00.../C:\.....................1.....EWXX..PROGRA~1..t......O.I.Y.7....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.7............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.7..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............[.......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N9NPE5070IPQD65O732N.temp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	5488
Entropy (8bit):	3.312180231855959
Encrypted:	false
SSDEEP:	24:YdfUEAHTIUx2dWoM155LN8zmZdfUEAHswM+bpoqdWoM155LFX1RgmXdfUEAH6lV8:YdiMUgdwyz6dig6Bdw+QdiAadwM1
MD5:	D9C2E04442BFDAFD68A88F3C8B9B1F2E
SHA1:	B55FCAF7D20C1CF22BC6C5309CD619A185288EF6
SHA-256:	0669B47AC526B9C6D3F1182AC1EEA0C30D31FD37B59432D7A7D20E5168B5B74F
SHA-512:	14870E9F92704A58362402120C6BF6A08032D142DDBD915B9ED207FFDEB09D4D553EFCD830F3A20C9E588735529D745124E9304198D364930247E9D3132BACB8
Malicious:	false
Preview:	...................................FL..................F.@.. ...p.........N2,M..........S...........................P.O. .:i.....+00.../C:\.....................1.....EWXX..PROGRA~1..t......O.I.Y.7....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....h.1.....CW.X..MOZILL~1..P......CW}W.Y.7............................>.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.....b.2..S..<W,. .firefox.exe.H......CW}W.Y.7..............................f.i.r.e.f.o.x...e.x.e.......[...............-.......Z............[.......C:\Program Files\Mozilla Firefox\firefox.exe....O.p.e.n. .a. .n.e.w. .b.r.o.w.s.e.r. .t.a.b.....-.n.e.w.-.t.a.b. .a.b.o.u.t.:.b.l.a.n.k.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x.\.f.i.r.e.f.o.x...e.x.e.........%ProgramFiles%\Mozilla Firefox\firefox.exe................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\ExperimentStoreData.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.941045274371212
Encrypted:	false
SSDEEP:	192:dLFS+OuPUkOdwiOdEiooslH5jV/ZiwBhZ0Xj3L9h38P:HFMXihslH5jVhiwBrD
MD5:	727692FACA3347E01B39DAF7E6961C3E
SHA1:	A3CABC6F8AE12CA523462CB38AB47723FC8B5C01
SHA-256:	676470AA4FCD4A497596F8031846E1BE06F8C8B7F694A18CB5FB47A324A9506B
SHA-512:	3F29DBBEB6F25801BFA50D68CD19CA1D7A924A0AA0E0E565D0FC4161D82B1BFC08382464D54EB9609D4C62F2512705BB4BB03EADF90B13FB7E77B59D1CF5BDFA
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"7bc86eac-c05c-4545-a5e5-03a2503c064a","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T10:58:21.623Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cd0a25e7-ded7-4f19-86ce-bb010938a092","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\ExperimentStoreData.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	6150
Entropy (8bit):	4.941045274371212
Encrypted:	false
SSDEEP:	192:dLFS+OuPUkOdwiOdEiooslH5jV/ZiwBhZ0Xj3L9h38P:HFMXihslH5jVhiwBrD
MD5:	727692FACA3347E01B39DAF7E6961C3E
SHA1:	A3CABC6F8AE12CA523462CB38AB47723FC8B5C01
SHA-256:	676470AA4FCD4A497596F8031846E1BE06F8C8B7F694A18CB5FB47A324A9506B
SHA-512:	3F29DBBEB6F25801BFA50D68CD19CA1D7A924A0AA0E0E565D0FC4161D82B1BFC08382464D54EB9609D4C62F2512705BB4BB03EADF90B13FB7E77B59D1CF5BDFA
Malicious:	false
Preview:	{"bookmarks-toolbar-default-on":{"slug":"bookmarks-toolbar-default-on","branch":{"slug":"control","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{},"enabled":true,"featureId":"bookmarks"}]},"active":true,"enrollmentId":"7bc86eac-c05c-4545-a5e5-03a2503c064a","experimentType":"nimbus","source":"rs-loader","userFacingName":"Bookmarks Toolbar Default On","userFacingDescription":"An experiment that turns the bookmarks toolbar on by default.","lastSeen":"2023-10-05T10:58:21.623Z","featureIds":["bookmarks"],"prefs":[],"isRollout":false},"csv-import-release-rollout":{"slug":"csv-import-release-rollout","branch":{"slug":"enable-csv-import","ratio":1,"feature":{"value":{},"enabled":false,"featureId":"this-is-included-for-desktop-pre-95-support"},"features":[{"value":{"csvImport":true},"enabled":true,"featureId":"cm-csv-import"}]},"active":true,"enrollmentId":"cd0a25e7-ded7-4f19-86ce-bb010938a092","experimentType":"r

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addonStartup.json.lz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5317
Entropy (8bit):	6.6001890334338125
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6q+m:zTx2x2t0FDJ4NpkuvjdeplTMHm
MD5:	BB43EF1E7A5E32AB89416BF2B4856129
SHA1:	FB32DEEB5BAC138A427FFD4728327A68E18FAD82
SHA-256:	FFA8720630B79E63B854F6EB1C17BFEC588294DF4C87EACC2FF1DC80DDC7CF0A
SHA-512:	AA1CC532C583C70EA2332E19D261B3CE13C159B11DBC0D7DD9BE38594BE6060A30929ECA0B1938498A5A271BE4772E78B75CB9BD4D52D33DE094182DF52DCB10
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addonStartup.json.lz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 22422 bytes
Category:	dropped
Size (bytes):	5317
Entropy (8bit):	6.6001890334338125
Encrypted:	false
SSDEEP:	96:z2YbKsKNU2xWrp327tGmD4wBON6h6cHAHJVauvjZHjkTymdS1/qTMg6q+m:zTx2x2t0FDJ4NpkuvjdeplTMHm
MD5:	BB43EF1E7A5E32AB89416BF2B4856129
SHA1:	FB32DEEB5BAC138A427FFD4728327A68E18FAD82
SHA-256:	FFA8720630B79E63B854F6EB1C17BFEC588294DF4C87EACC2FF1DC80DDC7CF0A
SHA-512:	AA1CC532C583C70EA2332E19D261B3CE13C159B11DBC0D7DD9BE38594BE6060A30929ECA0B1938498A5A271BE4772E78B75CB9BD4D52D33DE094182DF52DCB10
Malicious:	false
Preview:	mozLz40..W....{"app-system-defaults":{"addon....formautofill@mozilla.org&..Gdependencies":[],"enabled":true,"lastModifiedTime":1695865283000,"loader":null,"path":s.....xpi","recommendationStateA...rootURI":"jar:file:///C:/Program%20Files/M.......refox/browser/features/...... !/...unInSafeMode..wsignedD...telemetryKey..7%40R...:1.0.1","version":"..`},"pic..#in.....T.n..w...........S.......(.[......0....0"},"screenshots..T.r.....[.......(.V....-39.......},"webcompat-reporter...Ofals..&.z.....[.......(.]....=1.5.............<.)....p....d......1.z.!18...5.....startupData...pX.astentL..!er...webRequest%..onBefore...[[{"incognitoi.UtabId..!yp...."main_frame"],"url...."://login.microsoftonline.com/","..@us/L.dwindows...},["blocking"]],...Iimag...https://smartT.".f.....etp/facebook.svg",...Aplay....8`script...P.....-....-testbed.herokuapp\.`shims_..3.jsh.bexampl\|.......Pexten{..Q../?..s...S.J/_2..@&_3U..s7.addthis . ic...officialK......-angularjs/current/dist(..t.min.js...track.adB...net/s

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addons.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addons.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	3.91829583405449
Encrypted:	false
SSDEEP:	3:YWGifTJE6iHQ:YWGif9EE
MD5:	3088F0272D29FAA42ED452C5E8120B08
SHA1:	C72AA542EF60AFA3DF5DFE1F9FCC06C0B135BE23
SHA-256:	D587CEC944023447DC91BC5F71E2291711BA5ADD337464837909A26F34BC5A06
SHA-512:	B662414EDD6DEF8589304904263584847586ECCA0B0E6296FB3ADB2192D92FB48697C99BD27C4375D192150E3F99102702AF2391117FFF50A9763C74C193D798
Malicious:	false
Preview:	{"schema":6,"addons":[]}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\content-prefs.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 5, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 8, cookie 0x6, schema 4, largest root page 8, UTF-8, vacuum mode 1, version-valid-for 5
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	0.04905391753567332
Encrypted:	false
SSDEEP:	24:DLivwae+Q8Uu50xj0aWe9LxYkKA25Q5tvAA:D6wae+QtMImelekKDa5
MD5:	DD9D28E87ED57D16E65B14501B4E54D1
SHA1:	793839B47326441BE2D1336BA9A61C9B948C578D
SHA-256:	BB4E6C58C50BD6399ED70468C02B584595C29F010B66F864CD4D6B427FA365BC
SHA-512:	A2626F6A3CBADE62E38DA5987729D99830D0C6AA134D4A9E615026A5F18ACBB11A2C3C80917DAD76DA90ED5BAA9B0454D4A3C2DD04436735E78C974BA1D035B1
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......\|....~.}.}z}-\|.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\crashes\store.json.mozlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\crashes\store.json.mozlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 56 bytes
Category:	dropped
Size (bytes):	66
Entropy (8bit):	4.837595020998689
Encrypted:	false
SSDEEP:	3:3fX/xH8IXl/I3v0lb7iioW:vXpH1RPXt
MD5:	A6338865EB252D0EF8FCF11FA9AF3F0D
SHA1:	CECDD4C4DCAE10C2FFC8EB938121B6231DE48CD3
SHA-256:	078648C042B9B08483CE246B7F01371072541A2E90D1BEB0C8009A6118CBD965
SHA-512:	D950227AC83F4E8246D73F9F35C19E88CE65D0CA5F1EF8CCBB02ED6EFC66B1B7E683E2BA0200279D7CA4B49831FD8C3CEB0584265B10ACCFF2611EC1CA8C0C6C
Malicious:	false
Preview:	mozLz40.8.....{"v":1,"crashes":{},"countsByDay....rruptDate":null}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\extensions.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1853922070675935
Encrypted:	false
SSDEEP:	768:YI4dvfBXf4H6J4/4nN4O4amoavf4w4lB484QS4S4T:Y9mtvq
MD5:	A51B8E1B0ED704E954E172A7E926B5A6
SHA1:	EE8C7A958C82763917A79E242C76932B887759D8
SHA-256:	C4778491FA50712379FB7482F4D5F609EE0613A95E1ABCEDD9F6DE3302832C66
SHA-512:	D81C254A47EBE59CF4943EA1100CD688B45257B2D20AEE59BC0A8251B3BF1894F85B80248FA60259DD051819B7C4B68182D0AFD30ADFAD311042B3F131C8AF25
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{8defec20-1d2a-4e92-a8ca-6ec63d483a92}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\extensions.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	36830
Entropy (8bit):	5.1853922070675935
Encrypted:	false
SSDEEP:	768:YI4dvfBXf4H6J4/4nN4O4amoavf4w4lB484QS4S4T:Y9mtvq
MD5:	A51B8E1B0ED704E954E172A7E926B5A6
SHA1:	EE8C7A958C82763917A79E242C76932B887759D8
SHA-256:	C4778491FA50712379FB7482F4D5F609EE0613A95E1ABCEDD9F6DE3302832C66
SHA-512:	D81C254A47EBE59CF4943EA1100CD688B45257B2D20AEE59BC0A8251B3BF1894F85B80248FA60259DD051819B7C4B68182D0AFD30ADFAD311042B3F131C8AF25
Malicious:	false
Preview:	{"schemaVersion":35,"addons":[{"id":"formautofill@mozilla.org","syncGUID":"{8defec20-1d2a-4e92-a8ca-6ec63d483a92}","version":"1.0.1","type":"extension","loader":null,"updateURL":null,"installOrigins":null,"manifestVersion":2,"optionsURL":null,"optionsType":null,"optionsBrowserStyle":true,"aboutURL":null,"defaultLocale":{"name":"Form Autofill","creator":null,"developers":null,"translators":null,"contributors":null},"visible":true,"active":true,"userDisabled":false,"appDisabled":false,"embedderDisabled":false,"installDate":1695865283000,"updateDate":1695865283000,"applyBackgroundUpdates":1,"path":"C:\\Program Files\\Mozilla Firefox\\browser\\features\\formautofill@mozilla.org.xpi","skinnable":false,"sourceURI":null,"releaseNotesURI":null,"softDisabled":false,"foreignInstall":false,"strictCompatibility":true,"locales":[],"targetApplications":[{"id":"toolkit@mozilla.org","minVersion":null,"maxVersion":null}],"targetPlatforms":[],"signedDate":null,"seen":true,"dependencies":[],"incognito":"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\favicons.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Pl8Tb06C8A.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1021904
Entropy (8bit):	6.648417932394748
Encrypted:	false
SSDEEP:	12288:vYLdTfFKbNSjv92eFN+3wH+NYriA0Iq6lh6VawYIpAvwHN/Uf1h47HAfg1oet:vYLdTZ923NYrjwNpgwef1hzfg1x
MD5:	FE3355639648C417E8307C6D051E3E37
SHA1:	F54602D4B4778DA21BC97C7238FC66AA68C8EE34
SHA-256:	1ED7877024BE63A049DA98733FD282C16BD620530A4FB580DACEC3A78ACE914E
SHA-512:	8F4030BB2464B98ECCBEA6F06EB186D7216932702D94F6B84C56419E9CF65A18309711AB342D1513BF85AED402BC3535A70DB4395874828F0D35C278DD2EAC9C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......NH...)...)...)..eM...)..eM...)..eM..)..eM...)...)..i)..XA...)..XA..;)..XA...)...)..g)..cA...)..cA...)..Rich.)..........PE..d....z\.........." .....t................................................................`.........................................P...,...\|...(............P...H...z.................T...........................0...................p............................text...$s.......t.................. ..`.rdata...~...........x..............@..@.data....3..........................@....pdata...H...P...J..................@..@.rodata..............^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	116
Entropy (8bit):	4.968220104601006
Encrypted:	false
SSDEEP:	3:C3OuN9RAM7VDXcEzq+rEakOvTMBv+FdBAIABv+FEn:0BDUmHlvAWeWEn
MD5:	3D33CDC0B3D281E67DD52E14435DD04F
SHA1:	4DB88689282FD4F9E9E6AB95FCBB23DF6E6485DB
SHA-256:	F526E9F98841D987606EFEAFF7F3E017BA9FD516C4BE83890C7F9A093EA4C47B
SHA-512:	A4A96743332CC8EF0F86BC2E6122618BFC75ED46781DADBAC9E580CD73DF89E74738638A2CCCB4CAA4CBBF393D771D7F2C73F825737CDB247362450A0D4A4BC1
Malicious:	false
Preview:	Name: gmpopenh264.Description: GMP Plugin for OpenH264..Version: 1.8.1.APIs: encode-video[h264], decode-video[h264].

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\permissions.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, file counter 4, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.07319247292674429
Encrypted:	false
SSDEEP:	12:DBl/A0OWla0mwPxRymgObsCVR45wcYR4fmnsCVR4zkitp:DLhesh7Owd4+ji
MD5:	17A762A805C2AD3FAF7DEAAB45C352AB
SHA1:	0A766D8BA666DD7887E7C111361C960F467C6239
SHA-256:	3930DBB65CC3284C70CFEC2576402CB8DAF4C6AA6D6EF815AD5FC2FF19BB94AD
SHA-512:	DF5339879A4768F20417E6302E399B217F8AE72825EFDB9903F9C17C16A5CBCA86A334F3141B37ECBFDBDDF403D873FEA27F116DC140C85B2D8B19F9384D07D6
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......~s..F~s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-shm

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.039461165957280435
Encrypted:	false
SSDEEP:	3:GHlhVdEnycULaiRtHlhVdEnycULai6lwl8a9//Ylll4llqlyllel4lt:G7VSPULai77VSPULai6OL9XIwlio
MD5:	D0F6DF9EDC3209FD8A4985EA80742911
SHA1:	756B84A520790D424DC6B4909C966FE39598F217
SHA-256:	A740BF40FB27A8305F322FBD24E2B037CEA018656B97F16EF437AFC4F58B6654
SHA-512:	671FAAAACDD863D40C0856D4F62C07D4401445ADC6ADF1DCAD05F9C43316541BD40C25A42823C62F45B1117356A045D334DA7FAEF447D570D004F0D2F92C0454
Malicious:	false
Preview:	..-.....................p.EP.&O!k.I..._.-<..B$K..-.....................p.EP.&O!k.I..._.-<..B$K........................................................'...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite-wal

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	163992
Entropy (8bit):	0.11744585647179033
Encrypted:	false
SSDEEP:	24:KjG5fkmqLxsZ+GwMnjxsMlukAUCFoBWUChe7CCQE/jKClpOCRxsa4wlm0VZ2i7+:dM1QrrlJuvgW1eU6P3VpPZk
MD5:	FF555E9FCD12984257CC36AAAFA0DD22
SHA1:	FEF54862A6620E911EE63EDCDB8FEAAEDD460CBC
SHA-256:	9F2BF3D448021D8C5FA67CF454CD64D5763F0F275E065E36001560B5C1F12744
SHA-512:	C709DCCBBAF0989425FB84514620FD2862CF6C0FAD3A5FDBCEB61E983C99394100FFDC12A1051F3C89DD8E78B08995839AA983E47D16357ABCFD46CDB5006E74
Malicious:	false
Preview:	7....-..........k.I..._...~............k.I..._.. iH..X................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs-1.js

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13990
Entropy (8bit):	5.469352027298673
Encrypted:	false
SSDEEP:	192:nAZsglyTozngRHsE1ibqp6KPQ77QCVUgaXe6iE0EK/4a9BK5R3NBw8d2kSl:nAZsglyTopAxQPQCVULiEmV2fw1k0
MD5:	9501219AF3D2D44CFE7702E9EA273B06
SHA1:	86AA07CEDF5ACA9D09677E5E52C22B9B9B293AEC
SHA-256:	2B28B30B58E6322B26C3D4BADFFD764ED31B99AA9CE9120474249DF4300710A8
SHA-512:	AEEA1EA26B35CFAD239989AA112CD3A1149D09AC76CADD9C8362EE08D50B58780CF8BB78FB21CEBAC860729ADD383F2CADCA5136636A80E9068C1F570D6ECA22
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "4cbb0eca-22b0-45bf-8c7b-17c3580947ca");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734079164);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734079164);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734079164);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173407

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	13990
Entropy (8bit):	5.469352027298673
Encrypted:	false
SSDEEP:	192:nAZsglyTozngRHsE1ibqp6KPQ77QCVUgaXe6iE0EK/4a9BK5R3NBw8d2kSl:nAZsglyTopAxQPQCVULiEmV2fw1k0
MD5:	9501219AF3D2D44CFE7702E9EA273B06
SHA1:	86AA07CEDF5ACA9D09677E5E52C22B9B9B293AEC
SHA-256:	2B28B30B58E6322B26C3D4BADFFD764ED31B99AA9CE9120474249DF4300710A8
SHA-512:	AEEA1EA26B35CFAD239989AA112CD3A1149D09AC76CADD9C8362EE08D50B58780CF8BB78FB21CEBAC860729ADD383F2CADCA5136636A80E9068C1F570D6ECA22
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "4cbb0eca-22b0-45bf-8c7b-17c3580947ca");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.backgroundErrors", 2);..user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1734079164);..user_pref("app.update.lastUpdateTime.background-update-timer", 1734079164);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1734079164);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 173407

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\protections.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 1, last written using SQLite version 3042000, page size 32768, file counter 5, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.04062825861060003
Encrypted:	false
SSDEEP:	6:ltBl/l4/WN1h4BEJYqWvLue3FMOrMZ0l:DBl/WuntfJiFxMZO
MD5:	18F65713B07CB441E6A98655B726D098
SHA1:	2CEFA32BC26B25BE81C411B60C9925CB0F1F8F88
SHA-256:	B6C268E48546B113551A5AF9CA86BB6A462A512DE6C9289315E125CEB0FD8621
SHA-512:	A6871076C7D7ED53B630F9F144ED04303AD54A2E60B94ECA2AA96964D1AB375EEFDCA86CE0D3EB0E9DBB81470C6BD159877125A080C95EB17E54A52427F805FB
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.......x..x..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionCheckpoints.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionCheckpoints.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	90
Entropy (8bit):	4.194538242412464
Encrypted:	false
SSDEEP:	3:YVXKQJAyiVLQwJtJDBA+AJ2LKZXJ3YFwHY:Y9KQOy6Lb1BA+m2L69Yr
MD5:	C4AB2EE59CA41B6D6A6EA911F35BDC00
SHA1:	5942CD6505FC8A9DABA403B082067E1CDEFDFBC4
SHA-256:	00AD9799527C3FD21F3A85012565EAE817490F3E0D417413BF9567BB5909F6A2
SHA-512:	71EA16900479E6AF161E0AAD08C8D1E9DED5868A8D848E7647272F3002E2F2013E16382B677ABE3C6F17792A26293B9E27EC78E16F00BD24BA3D21072BD1CAE2
Malicious:	false
Preview:	{"profile-after-change":true,"final-ui-startup":true,"sessionstore-windows-restored":true}

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionstore-backups\recovery.baklz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.328909587656377
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSVAbLXnIgt/pnxQwRlszT5sKpL8Gr3eHVPGVXTQoamhujJXXYzOBae:GUpOx8AbvnR6R5r3eQZTf4JHaTv4/f
MD5:	4DA6466B8D636FA9522C72AC40521ABC
SHA1:	3985D8750B3087BB82EAA0E6F257A383B3270895
SHA-256:	E4F31CA9C7F54068384357B39D8A89D31E065EEDE2D459E8DFCA1BE54C835F68
SHA-512:	E668ADFB477E29BFF047433EE648B85F617A92A93E62F6ED544F8512EFD0F04E31B38D13614074D6ED361FB4EA114A45D8406B7AC00A83ABB51A5441BA744321
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{18016218-8d57-41ab-ae0d-cbaed9e744b1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734079168701,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...901dfca9-0933-49dd-b8ad-c128d9fd5ae7","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P33878...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A51e19de0ffa8528fa1d4335ed7f73fa3f4df6437c31aaee3b1be0ea3fc874673","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...39605,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.328909587656377
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSVAbLXnIgt/pnxQwRlszT5sKpL8Gr3eHVPGVXTQoamhujJXXYzOBae:GUpOx8AbvnR6R5r3eQZTf4JHaTv4/f
MD5:	4DA6466B8D636FA9522C72AC40521ABC
SHA1:	3985D8750B3087BB82EAA0E6F257A383B3270895
SHA-256:	E4F31CA9C7F54068384357B39D8A89D31E065EEDE2D459E8DFCA1BE54C835F68
SHA-512:	E668ADFB477E29BFF047433EE648B85F617A92A93E62F6ED544F8512EFD0F04E31B38D13614074D6ED361FB4EA114A45D8406B7AC00A83ABB51A5441BA744321
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{18016218-8d57-41ab-ae0d-cbaed9e744b1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734079168701,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...901dfca9-0933-49dd-b8ad-c128d9fd5ae7","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P33878...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A51e19de0ffa8528fa1d4335ed7f73fa3f4df6437c31aaee3b1be0ea3fc874673","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...39605,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	Mozilla lz4 compressed data, originally 5861 bytes
Category:	dropped
Size (bytes):	1568
Entropy (8bit):	6.328909587656377
Encrypted:	false
SSDEEP:	24:v+USUGlcAxSVAbLXnIgt/pnxQwRlszT5sKpL8Gr3eHVPGVXTQoamhujJXXYzOBae:GUpOx8AbvnR6R5r3eQZTf4JHaTv4/f
MD5:	4DA6466B8D636FA9522C72AC40521ABC
SHA1:	3985D8750B3087BB82EAA0E6F257A383B3270895
SHA-256:	E4F31CA9C7F54068384357B39D8A89D31E065EEDE2D459E8DFCA1BE54C835F68
SHA-512:	E668ADFB477E29BFF047433EE648B85F617A92A93E62F6ED544F8512EFD0F04E31B38D13614074D6ED361FB4EA114A45D8406B7AC00A83ABB51A5441BA744321
Malicious:	false
Preview:	mozLz40.......{"version":["ses....restore",1],"windows":[{"tab..bentrie....url":"https://youtube.com/account?=.....rs.googl%...v3/signin/challenge/pwd","title[.C..cacheKey":0,"ID":6,"docshellUU...D"{18016218-8d57-41ab-ae0d-cbaed9e744b1}","resultPrincipalURI":null,"hasUserInteracte...true,"triggering8.p_base64z..\"3\":{}^...docIdentifier":7,"persistK..+}],"lastAccessed":1734079168701,"hidden":false,"searchMode...userContextId...attribut...{},"index":1...questedI..p0,"imag....chrome://global/skin/icons/warning.svg"..aselect...,"_closedTZ.@],"_...C..`GroupCF..":-1,"busy...t...Flags":2167541758....dth":1164,"height":891,"screenX":4...Y..Aizem..."maximize......BeforeMin...&..workspace9...901dfca9-0933-49dd-b8ad-c128d9fd5ae7","zD..1...Wm..l........j..:....1":{..mUpdate...startTim..P33878...centCrash..B0},".....Dcook.. hoc..."addons.mozilla.org","valu...A51e19de0ffa8528fa1d4335ed7f73fa3f4df6437c31aaee3b1be0ea3fc874673","path":"/","na..a"taarI\|.Recure...,`.Donly..fexpiry...39605,"originA...."f

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\storage.sqlite

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	SQLite 3.x database, user version 131075, last written using SQLite version 3042000, page size 512, file counter 6, database pages 8, cookie 0x4, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.0836444556178684
Encrypted:	false
SSDEEP:	24:JBwdh/cEUcR9PzNFPFHx/GJRBdkOrDcRB1trwDeAq2gRMyxr3:jnEUo9LXtR+JdkOnohYsl
MD5:	8B40B1534FF0F4B533AF767EB5639A05
SHA1:	63EDB539EA39AD09D701A36B535C4C087AE08CC9
SHA-256:	AF275A19A5C2C682139266065D90C237282274D11C5619A121B7BDBDB252861B
SHA-512:	54AF707698CED33C206B1B193DA414D630901762E88E37E99885A50D4D5F8DDC28367C9B401DFE251CF0552B4FA446EE28F78A97C9096AFB0F2898BFBB673B53
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\targeting.snapshot.json (copy)

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032112213501997
Encrypted:	false
SSDEEP:	48:YrSAYOdmjhUQZpExB1+anOqW5VhpZVjWKzzc8cyYMsku7f86SLAVL7sKsM5FtsfH:ycB5TEr5i+Kzzczvbw6KkMKXrc2Rn27
MD5:	707191F5797FE5FA39701927EB802306
SHA1:	B46C0131D60C4AE6493B4D526DE04B8A13D8130E
SHA-256:	F52189886ECDD4D61D8CDEB756A0F24178ED7882390766570E4181EB94E75476
SHA-512:	2C21A76A4242E31E6292C908E7B8747F767B5C6498986B57B441BBB0F7110741E9726AECD9165298CC25F9BE58D4F37A8010D1792DBDCBF9738861AA3AF6A222
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T08:39:09.130Z","profileAgeCreated":1696503493780,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\targeting.snapshot.json.tmp

Download File

Process:	C:\Program Files\Mozilla Firefox\firefox.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	5.032112213501997
Encrypted:	false
SSDEEP:	48:YrSAYOdmjhUQZpExB1+anOqW5VhpZVjWKzzc8cyYMsku7f86SLAVL7sKsM5FtsfH:ycB5TEr5i+Kzzczvbw6KkMKXrc2Rn27
MD5:	707191F5797FE5FA39701927EB802306
SHA1:	B46C0131D60C4AE6493B4D526DE04B8A13D8130E
SHA-256:	F52189886ECDD4D61D8CDEB756A0F24178ED7882390766570E4181EB94E75476
SHA-512:	2C21A76A4242E31E6292C908E7B8747F767B5C6498986B57B441BBB0F7110741E9726AECD9165298CC25F9BE58D4F37A8010D1792DBDCBF9738861AA3AF6A222
Malicious:	false
Preview:	{"environment":{"locale":"en-US","localeLanguageCode":"en","browserSettings":{"update":{"channel":"release","enabled":true,"autoDownload":true,"background":true}},"attributionData":{"campaign":"%2528not%2Bset%2529","content":"%2528not%2Bset%2529","dlsource":"mozorg","dltoken":"cd09ae95-e2cf-4b8b-8929-791b0dd48cdd","experiment":"%2528not%2Bset%2529","medium":"referral","source":"www.google.com","ua":"chrome","variation":"%2528not%2Bset%2529"},"currentDate":"2024-12-13T08:39:09.130Z","profileAgeCreated":1696503493780,"usesFirefoxSync":false,"isFxAEnabled":true,"isFxASignedIn":false,"sync":{"desktopDevices":0,"mobileDevices":0,"totalDevices":0},"xpinstallEnabled":true,"addonsInfo":{"addons":{"formautofill@mozilla.org":{"version":"1.0.1","type":"extension","isSystem":true,"isWebExtension":true,"name":"Form Autofill","userDisabled":false,"installDate":"2023-09-28T01:41:23.000Z"},"pictureinpicture@mozilla.org":{"version":"1.0.0","type":"extension","isSystem":true,"isWebExtension":true,"name"

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.706321485566327
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	971'776 bytes
MD5:	2fc0741f6f4a989e9b55081f90df178a
SHA1:	f565869e959f86c4b35f1f1e929a26a0428e8e9d
SHA256:	1f1f5ef3819b45c11862020855fd81065af664fee5fef3ade41e137919b825a6
SHA512:	6596810859e2448830eb3b12273bbdc54479f529f268f5802e8585f4f7f83b5477839273d71cf6a5a8be48fe70b089613270b69e6cad7bfdc7bb3fee7b1af012
SSDEEP:	24576:EqDEvCTbMWu7rQYlBQcBiT6rprG8aVyP:ETvC/MTQYxsWR7aVy
TLSH:	08259E027391D062FF9B92334F5AF6115BBC69260123E61F13A81D7ABE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675BD33D [Fri Dec 13 06:25:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F8A2C73F2E3h
jmp 00007F8A2C73EBEFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8A2C73EDCDh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F8A2C73ED9Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F8A2C74198Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F8A2C7419D8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F8A2C7419C1h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x169d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xeb000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x169d4	0x16a00	9b204a45ac8f6f574fc539b1bb4343ad	False	0.7086930248618785	data	7.189725204069166	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xeb000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45f0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd4718	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd4840	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4968	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c50	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d78	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5c20	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd64c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd6a30	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8fd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda080	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4e8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xda538	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xda634	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdabc8	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb254	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb6e4	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbce0	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc33c	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc7a4	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc8fc	0xdb56	data			1.0004630454140695
RT_GROUP_ICON	0xea454	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0xea4cc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xea4e0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xea4f4	0x14	data	English	Great Britain	1.25
RT_VERSION	0xea508	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0xea5e4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 07:56:46.330751896 CET	49742	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:46.330765963 CET	49741	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:46.330781937 CET	443	49742	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:46.330801964 CET	443	49741	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:46.330951929 CET	49743	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:46.330988884 CET	443	49743	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:46.331224918 CET	49744	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:46.331245899 CET	443	49744	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:46.331597090 CET	49745	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:56:46.331608057 CET	443	49745	35.190.72.216	192.168.2.11
Dec 13, 2024 07:56:46.333033085 CET	49742	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:46.333044052 CET	49741	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:46.333044052 CET	49745	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:56:46.333049059 CET	49744	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:46.333049059 CET	49743	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:46.369012117 CET	49742	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:46.369044065 CET	443	49742	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:46.370615959 CET	49741	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:46.370646000 CET	443	49741	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:46.371917009 CET	49743	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:46.371958017 CET	443	49743	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:46.373210907 CET	49744	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:46.373228073 CET	443	49744	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:46.374492884 CET	49745	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:56:46.374506950 CET	443	49745	35.190.72.216	192.168.2.11
Dec 13, 2024 07:56:46.547636032 CET	49747	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:46.547682047 CET	443	49747	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:46.547766924 CET	49747	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:46.547902107 CET	49747	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:46.547914982 CET	443	49747	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:46.551805019 CET	49748	443	192.168.2.11	34.160.144.191
Dec 13, 2024 07:56:46.551842928 CET	443	49748	34.160.144.191	192.168.2.11
Dec 13, 2024 07:56:46.552242994 CET	49748	443	192.168.2.11	34.160.144.191
Dec 13, 2024 07:56:46.552390099 CET	49748	443	192.168.2.11	34.160.144.191
Dec 13, 2024 07:56:46.552407980 CET	443	49748	34.160.144.191	192.168.2.11
Dec 13, 2024 07:56:46.610194921 CET	49753	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:46.730007887 CET	80	49753	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:46.731138945 CET	49753	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:46.733508110 CET	49753	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:46.853245974 CET	80	49753	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:47.592411041 CET	443	49745	35.190.72.216	192.168.2.11
Dec 13, 2024 07:56:47.595391989 CET	49745	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:56:47.599725008 CET	443	49744	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:47.600277901 CET	443	49743	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:47.602929115 CET	49744	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.602931023 CET	49743	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.612273932 CET	49745	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:56:47.612306118 CET	443	49745	35.190.72.216	192.168.2.11
Dec 13, 2024 07:56:47.612462044 CET	49745	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:56:47.612550020 CET	443	49745	35.190.72.216	192.168.2.11
Dec 13, 2024 07:56:47.614617109 CET	49744	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.614635944 CET	443	49744	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:47.614685059 CET	49744	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.614799023 CET	443	49744	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:47.616612911 CET	49743	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.616632938 CET	443	49743	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:47.616673946 CET	49743	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.616854906 CET	443	49743	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:47.617975950 CET	49744	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.617990971 CET	49743	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.618050098 CET	49745	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:56:47.763328075 CET	443	49747	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:47.764904976 CET	49747	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:47.767798901 CET	443	49748	34.160.144.191	192.168.2.11
Dec 13, 2024 07:56:47.767864943 CET	49748	443	192.168.2.11	34.160.144.191
Dec 13, 2024 07:56:47.822405100 CET	80	49753	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:47.885133028 CET	49753	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:47.894157887 CET	49747	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:47.894197941 CET	443	49747	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:47.894567013 CET	443	49747	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:47.899585962 CET	49748	443	192.168.2.11	34.160.144.191
Dec 13, 2024 07:56:47.899621010 CET	443	49748	34.160.144.191	192.168.2.11
Dec 13, 2024 07:56:47.899996042 CET	443	49748	34.160.144.191	192.168.2.11
Dec 13, 2024 07:56:47.902286053 CET	49755	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.902328968 CET	443	49755	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:47.902746916 CET	49755	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.904414892 CET	49755	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:47.904436111 CET	443	49755	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:47.905323029 CET	49747	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:47.905486107 CET	49747	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:47.905524015 CET	443	49747	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:47.905632019 CET	49748	443	192.168.2.11	34.160.144.191
Dec 13, 2024 07:56:47.905673027 CET	49748	443	192.168.2.11	34.160.144.191
Dec 13, 2024 07:56:47.905810118 CET	49747	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:47.905841112 CET	443	49748	34.160.144.191	192.168.2.11
Dec 13, 2024 07:56:47.905982018 CET	49748	443	192.168.2.11	34.160.144.191
Dec 13, 2024 07:56:48.064987898 CET	443	49742	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:48.065208912 CET	49742	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.065709114 CET	443	49742	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:48.065957069 CET	49742	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.067708969 CET	443	49741	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:48.068139076 CET	49741	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.068438053 CET	443	49741	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:48.069164991 CET	49741	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.072319984 CET	49742	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.072319984 CET	49742	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.072334051 CET	443	49742	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:48.072704077 CET	443	49742	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:48.073252916 CET	49742	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.073405027 CET	49741	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.073415995 CET	443	49741	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:48.073528051 CET	49741	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.073586941 CET	443	49741	142.250.181.110	192.168.2.11
Dec 13, 2024 07:56:48.073803902 CET	49741	443	192.168.2.11	142.250.181.110
Dec 13, 2024 07:56:48.173190117 CET	49753	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:48.294300079 CET	80	49753	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:48.294666052 CET	49753	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:48.398606062 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:48.398864985 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:48.518455029 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:48.518527985 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:48.518579006 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:48.518709898 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:48.518815041 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:48.518892050 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:48.638524055 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:48.638590097 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:49.122733116 CET	443	49755	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:49.122870922 CET	49755	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:49.128192902 CET	49755	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:49.128213882 CET	443	49755	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:49.128330946 CET	49755	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:49.128340960 CET	443	49755	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:49.128351927 CET	443	49755	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:49.128418922 CET	49755	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:49.128701925 CET	49764	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:49.128750086 CET	443	49764	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:49.128928900 CET	49764	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:49.130265951 CET	49764	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:49.130281925 CET	443	49764	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:49.195319891 CET	49765	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:49.195358038 CET	443	49765	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:49.195485115 CET	49765	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:49.196904898 CET	49765	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:49.196918011 CET	443	49765	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:49.604069948 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:49.604873896 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:49.656228065 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:49.656234026 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:50.347206116 CET	443	49764	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:50.347279072 CET	49764	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:50.352318048 CET	49764	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:50.352330923 CET	443	49764	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:50.352421045 CET	49764	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:50.352504969 CET	443	49764	34.117.188.166	192.168.2.11
Dec 13, 2024 07:56:50.352627993 CET	49764	443	192.168.2.11	34.117.188.166
Dec 13, 2024 07:56:50.411400080 CET	443	49765	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:50.411521912 CET	49765	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:50.416541100 CET	49765	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:50.416541100 CET	49765	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:50.416551113 CET	443	49765	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:50.416707993 CET	443	49765	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:50.416774988 CET	49765	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:50.907586098 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:50.912266970 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:51.027324915 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:51.031984091 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:51.048135996 CET	49772	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:51.048177958 CET	443	49772	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:51.048424006 CET	49772	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:51.048697948 CET	49772	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:51.048708916 CET	443	49772	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:51.053128958 CET	49773	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:51.053150892 CET	443	49773	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:51.053463936 CET	49773	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:51.054944992 CET	49773	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:51.054955006 CET	443	49773	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:51.222773075 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:51.226809025 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:51.266752005 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:51.266767979 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:51.325283051 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:51.445099115 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:51.640465975 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:51.683552980 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:52.260591984 CET	443	49772	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:52.267329931 CET	443	49772	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:52.268800020 CET	49772	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:52.275016069 CET	443	49773	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:52.275089025 CET	49773	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:52.780693054 CET	49772	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:52.780725956 CET	443	49772	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:52.781089067 CET	443	49772	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:52.784399033 CET	49772	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:52.784475088 CET	49772	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:52.784576893 CET	49773	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:52.784600019 CET	443	49773	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:52.784630060 CET	49773	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:52.784648895 CET	443	49772	35.244.181.201	192.168.2.11
Dec 13, 2024 07:56:52.784893990 CET	443	49773	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:52.785248041 CET	49772	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:52.785265923 CET	49772	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:56:52.785270929 CET	49773	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:52.785902023 CET	49775	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:56:52.785934925 CET	443	49775	34.149.100.209	192.168.2.11
Dec 13, 2024 07:56:52.785995007 CET	49775	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:56:52.787184000 CET	49775	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:56:52.787199020 CET	443	49775	34.149.100.209	192.168.2.11
Dec 13, 2024 07:56:54.081362009 CET	443	49775	34.149.100.209	192.168.2.11
Dec 13, 2024 07:56:54.081528902 CET	49775	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:56:54.087147951 CET	49775	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:56:54.087161064 CET	443	49775	34.149.100.209	192.168.2.11
Dec 13, 2024 07:56:54.087244034 CET	49775	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:56:54.087332964 CET	443	49775	34.149.100.209	192.168.2.11
Dec 13, 2024 07:56:54.087382078 CET	49775	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:56:56.448374987 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:56.534884930 CET	49788	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:56.534919024 CET	443	49788	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:56.535341978 CET	49788	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:56.536761045 CET	49788	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:56.536772966 CET	443	49788	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:56.568159103 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:56.587831974 CET	49789	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:56.587876081 CET	443	49789	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:56.587981939 CET	49789	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:56.589380026 CET	49789	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:56.589390993 CET	443	49789	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:56.742134094 CET	49790	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:56.742175102 CET	443	49790	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:56.742780924 CET	49791	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:56.742815018 CET	443	49791	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:56.744036913 CET	49790	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:56.744146109 CET	49791	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:56.744219065 CET	49790	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:56.744231939 CET	443	49790	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:56.744311094 CET	49791	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:56.744335890 CET	443	49791	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:56.762839079 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:56.822093964 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:56.847569942 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:56.968667030 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:57.163743019 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:57.207643986 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:57.822848082 CET	443	49788	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:57.823043108 CET	49788	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:57.858095884 CET	443	49789	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:57.858256102 CET	49789	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:57.900002003 CET	49788	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:57.900021076 CET	443	49788	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:57.900182962 CET	49788	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:57.900394917 CET	49789	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:57.900394917 CET	49789	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:57.900407076 CET	443	49789	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:57.900554895 CET	443	49788	34.107.243.93	192.168.2.11
Dec 13, 2024 07:56:57.900852919 CET	49788	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:56:57.900966883 CET	443	49789	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:57.901738882 CET	49789	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.008702040 CET	443	49791	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:58.009848118 CET	443	49790	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:58.009879112 CET	49791	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.010137081 CET	49790	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.790797949 CET	49791	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.790823936 CET	443	49791	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:58.791239023 CET	443	49791	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:58.793008089 CET	49790	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.793024063 CET	443	49790	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:58.793359995 CET	443	49790	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:58.796421051 CET	49791	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.796514034 CET	49791	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.796559095 CET	49790	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.796636105 CET	49790	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.796696901 CET	443	49791	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:58.796761036 CET	443	49790	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:58.796859980 CET	49791	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:58.796861887 CET	49790	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:59.682459116 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:56:59.685329914 CET	49797	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:59.685376883 CET	443	49797	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:59.685600042 CET	49797	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:59.686849117 CET	49797	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:56:59.686866045 CET	443	49797	34.120.208.123	192.168.2.11
Dec 13, 2024 07:56:59.802206039 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:59.996965885 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:56:59.999867916 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:00.053599119 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:00.120126963 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:00.315032959 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:00.370038033 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:00.904864073 CET	443	49797	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:00.905302048 CET	49797	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:01.857037067 CET	49797	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:01.857064009 CET	443	49797	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:01.857172966 CET	49797	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:01.857407093 CET	443	49797	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:01.859394073 CET	49797	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:02.352221966 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:02.473167896 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:02.666925907 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:02.670062065 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:02.707978964 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:02.789838076 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:02.985364914 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:03.040116072 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:08.917129993 CET	49824	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:08.917165995 CET	443	49824	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:08.917582035 CET	49824	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:08.919105053 CET	49824	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:08.919122934 CET	443	49824	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:08.930402994 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:09.050101995 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:09.245295048 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:09.248584986 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:09.295979977 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:09.368290901 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:09.563541889 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:09.612462044 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:10.245764971 CET	443	49824	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:10.245841980 CET	49824	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:10.251008034 CET	49824	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:10.251014948 CET	443	49824	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:10.251112938 CET	49824	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:10.251543045 CET	443	49824	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:10.252000093 CET	49824	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:10.253763914 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:10.373526096 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:10.571659088 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:10.579157114 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:10.615411043 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:10.698930025 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:10.894397020 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:10.947520018 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:12.861331940 CET	49835	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:12.861375093 CET	443	49835	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:12.868746042 CET	49835	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:12.868896961 CET	49835	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:12.868913889 CET	443	49835	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:13.011534929 CET	49836	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:13.011586905 CET	443	49836	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:13.011832952 CET	49837	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:57:13.011842012 CET	443	49837	35.190.72.216	192.168.2.11
Dec 13, 2024 07:57:13.015810013 CET	49836	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:13.015933990 CET	49837	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:57:13.015933990 CET	49836	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:13.015954018 CET	443	49836	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:13.017445087 CET	49837	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:57:13.017455101 CET	443	49837	35.190.72.216	192.168.2.11
Dec 13, 2024 07:57:13.121876001 CET	49838	443	192.168.2.11	151.101.129.91
Dec 13, 2024 07:57:13.121911049 CET	443	49838	151.101.129.91	192.168.2.11
Dec 13, 2024 07:57:13.121985912 CET	49838	443	192.168.2.11	151.101.129.91
Dec 13, 2024 07:57:13.122114897 CET	49838	443	192.168.2.11	151.101.129.91
Dec 13, 2024 07:57:13.122123003 CET	443	49838	151.101.129.91	192.168.2.11
Dec 13, 2024 07:57:13.159416914 CET	49839	443	192.168.2.11	35.201.103.21
Dec 13, 2024 07:57:13.159461975 CET	443	49839	35.201.103.21	192.168.2.11
Dec 13, 2024 07:57:13.159712076 CET	49839	443	192.168.2.11	35.201.103.21
Dec 13, 2024 07:57:13.161103964 CET	49839	443	192.168.2.11	35.201.103.21
Dec 13, 2024 07:57:13.161118031 CET	443	49839	35.201.103.21	192.168.2.11
Dec 13, 2024 07:57:14.080065012 CET	443	49835	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.080085039 CET	443	49835	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.080149889 CET	49835	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.083625078 CET	49835	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.083632946 CET	443	49835	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.084007025 CET	443	49835	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.086158991 CET	49835	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.086266041 CET	49835	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.086405993 CET	443	49835	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.086565018 CET	49835	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.090024948 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:14.209748983 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:14.227715015 CET	443	49836	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:14.227823973 CET	49836	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:14.229163885 CET	443	49837	35.190.72.216	192.168.2.11
Dec 13, 2024 07:57:14.229278088 CET	49837	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:57:14.231019020 CET	49836	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:14.231034040 CET	443	49836	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:14.231427908 CET	443	49836	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:14.236406088 CET	49836	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:14.236561060 CET	49836	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:14.236658096 CET	443	49836	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:14.236816883 CET	49837	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:57:14.236830950 CET	443	49837	35.190.72.216	192.168.2.11
Dec 13, 2024 07:57:14.236871958 CET	49837	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:57:14.237061024 CET	443	49837	35.190.72.216	192.168.2.11
Dec 13, 2024 07:57:14.237117052 CET	49836	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:14.237354994 CET	49837	443	192.168.2.11	35.190.72.216
Dec 13, 2024 07:57:14.346584082 CET	443	49838	151.101.129.91	192.168.2.11
Dec 13, 2024 07:57:14.346785069 CET	49838	443	192.168.2.11	151.101.129.91
Dec 13, 2024 07:57:14.350311041 CET	49838	443	192.168.2.11	151.101.129.91
Dec 13, 2024 07:57:14.350318909 CET	443	49838	151.101.129.91	192.168.2.11
Dec 13, 2024 07:57:14.350543976 CET	443	49838	151.101.129.91	192.168.2.11
Dec 13, 2024 07:57:14.352940083 CET	49838	443	192.168.2.11	151.101.129.91
Dec 13, 2024 07:57:14.353075981 CET	443	49838	151.101.129.91	192.168.2.11
Dec 13, 2024 07:57:14.353158951 CET	49838	443	192.168.2.11	151.101.129.91
Dec 13, 2024 07:57:14.353164911 CET	443	49838	151.101.129.91	192.168.2.11
Dec 13, 2024 07:57:14.361089945 CET	49840	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.361135960 CET	443	49840	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.361249924 CET	49840	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.361320019 CET	49840	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.361327887 CET	443	49840	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.363651991 CET	49841	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.363682032 CET	443	49841	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.364255905 CET	49841	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.364255905 CET	49841	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.364284992 CET	443	49841	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.365608931 CET	49842	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.365618944 CET	443	49842	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.365916967 CET	49842	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.366014004 CET	49842	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:14.366023064 CET	443	49842	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:14.404270887 CET	443	49839	35.201.103.21	192.168.2.11
Dec 13, 2024 07:57:14.404365063 CET	49839	443	192.168.2.11	35.201.103.21
Dec 13, 2024 07:57:14.409600973 CET	49839	443	192.168.2.11	35.201.103.21
Dec 13, 2024 07:57:14.409610033 CET	443	49839	35.201.103.21	192.168.2.11
Dec 13, 2024 07:57:14.409699917 CET	49839	443	192.168.2.11	35.201.103.21
Dec 13, 2024 07:57:14.409867048 CET	443	49839	35.201.103.21	192.168.2.11
Dec 13, 2024 07:57:14.410248041 CET	49839	443	192.168.2.11	35.201.103.21
Dec 13, 2024 07:57:14.422401905 CET	49843	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:14.422441006 CET	443	49843	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:14.422775984 CET	49843	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:14.422949076 CET	49843	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:14.422961950 CET	443	49843	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:14.429444075 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:14.432173967 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:14.473460913 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:14.552486897 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:14.563338041 CET	443	49838	151.101.129.91	192.168.2.11
Dec 13, 2024 07:57:14.563400030 CET	49838	443	192.168.2.11	151.101.129.91
Dec 13, 2024 07:57:14.747615099 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:14.796423912 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:15.574130058 CET	443	49840	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.574403048 CET	49840	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.574795008 CET	443	49841	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.575125933 CET	49841	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.577507019 CET	49840	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.577526093 CET	443	49840	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.577588081 CET	443	49842	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.577719927 CET	49842	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.577810049 CET	443	49840	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.579891920 CET	49842	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.579898119 CET	443	49842	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.580116034 CET	443	49842	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.582051039 CET	49841	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.582063913 CET	443	49841	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.582287073 CET	443	49841	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.585956097 CET	49840	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.586153984 CET	49840	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.586159945 CET	443	49840	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.586174965 CET	443	49840	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.586227894 CET	49842	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.586293936 CET	49842	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.586360931 CET	443	49842	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.586618900 CET	49841	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.586661100 CET	49841	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.586884975 CET	49842	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.586884975 CET	49840	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.586968899 CET	443	49841	35.244.181.201	192.168.2.11
Dec 13, 2024 07:57:15.587047100 CET	49841	443	192.168.2.11	35.244.181.201
Dec 13, 2024 07:57:15.591871023 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:15.641016960 CET	443	49843	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:15.641144991 CET	49843	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:15.644474030 CET	49843	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:15.644489050 CET	443	49843	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:15.644830942 CET	443	49843	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:15.647100925 CET	49843	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:15.647267103 CET	443	49843	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:15.647305965 CET	49843	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:15.647320032 CET	443	49843	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:15.711580038 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:15.851357937 CET	443	49843	34.149.100.209	192.168.2.11
Dec 13, 2024 07:57:15.852217913 CET	49843	443	192.168.2.11	34.149.100.209
Dec 13, 2024 07:57:15.906303883 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:15.910680056 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:15.963336945 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:16.030471087 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:16.225944042 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:16.278620958 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:25.928544044 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:26.048269987 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:26.229460955 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:26.349195004 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:30.478502989 CET	49885	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:30.478545904 CET	443	49885	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:30.479119062 CET	49885	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:30.480303049 CET	49885	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:30.480317116 CET	443	49885	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:31.690757036 CET	443	49885	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:31.691334963 CET	49885	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:31.694535017 CET	49885	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:31.694541931 CET	443	49885	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:31.694680929 CET	49885	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:31.694705009 CET	443	49885	34.107.243.93	192.168.2.11
Dec 13, 2024 07:57:31.695569992 CET	49885	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:57:31.697638988 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:31.817378998 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:32.011955976 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:32.015017986 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:32.061430931 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:32.134761095 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:32.330101967 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:32.377866030 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:42.022253036 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:42.142154932 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:42.338813066 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:42.459141970 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:43.278207064 CET	49917	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.278237104 CET	443	49917	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.278340101 CET	49918	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.278377056 CET	443	49918	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.278491020 CET	49919	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.278500080 CET	443	49919	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.278614998 CET	49920	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.278652906 CET	443	49920	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.278728962 CET	49921	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.278765917 CET	443	49921	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.278830051 CET	49922	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.278842926 CET	443	49922	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.278925896 CET	49917	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.278937101 CET	49920	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.278942108 CET	49918	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.278949976 CET	49919	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.279118061 CET	49917	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.279118061 CET	49922	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.279119968 CET	49921	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.279131889 CET	443	49917	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.279364109 CET	49922	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.279391050 CET	443	49922	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.279552937 CET	49921	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.279568911 CET	443	49921	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.279629946 CET	49920	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.279643059 CET	443	49920	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.279704094 CET	49919	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.279716969 CET	443	49919	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:43.279762983 CET	49918	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:43.279774904 CET	443	49918	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.498747110 CET	443	49918	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.499506950 CET	443	49921	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.499561071 CET	49918	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.499598980 CET	49921	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.499619961 CET	443	49920	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.499717951 CET	49920	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.499933004 CET	443	49919	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.500017881 CET	49919	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.500063896 CET	443	49922	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.500149965 CET	49922	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.502197981 CET	49918	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.502216101 CET	443	49918	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.502511024 CET	443	49918	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.503954887 CET	443	49917	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.504030943 CET	49917	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.504928112 CET	49922	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.504936934 CET	443	49922	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.505305052 CET	443	49922	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.506982088 CET	49921	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.507009029 CET	443	49921	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.507280111 CET	443	49921	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.509326935 CET	49920	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.509340048 CET	443	49920	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.509596109 CET	443	49920	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.511637926 CET	49919	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.511662006 CET	443	49919	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.511948109 CET	443	49919	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.514897108 CET	49917	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.514914036 CET	443	49917	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.515882015 CET	443	49917	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.520183086 CET	49918	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.520359993 CET	443	49918	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.520577908 CET	49918	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.520592928 CET	443	49918	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.520693064 CET	49922	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.520718098 CET	49921	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.520936966 CET	443	49921	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.520940065 CET	443	49922	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.521147966 CET	49920	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.521243095 CET	49921	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.521253109 CET	443	49921	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.521305084 CET	443	49920	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.521332979 CET	49920	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.521332979 CET	49922	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.521341085 CET	443	49920	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.521349907 CET	49919	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.521357059 CET	443	49922	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.521425962 CET	49919	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.521518946 CET	443	49919	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.523763895 CET	49917	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.523818970 CET	49917	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.524296045 CET	443	49917	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.526141882 CET	49919	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.526141882 CET	49917	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.526153088 CET	49918	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.526285887 CET	49921	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.526731968 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:44.646491051 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:44.731332064 CET	443	49920	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.731333971 CET	443	49922	34.120.208.123	192.168.2.11
Dec 13, 2024 07:57:44.737509966 CET	49922	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.737752914 CET	49920	443	192.168.2.11	34.120.208.123
Dec 13, 2024 07:57:44.862680912 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:44.865632057 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:44.915277958 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:45.098036051 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:45.180493116 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:45.231914043 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:54.875332117 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:54.995057106 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:57:55.191458941 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:57:55.311139107 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:05.004555941 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:05.124254942 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:05.321082115 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:05.440788031 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:12.170341969 CET	49986	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:58:12.170402050 CET	443	49986	34.107.243.93	192.168.2.11
Dec 13, 2024 07:58:12.170819044 CET	49986	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:58:12.172921896 CET	49986	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:58:12.172936916 CET	443	49986	34.107.243.93	192.168.2.11
Dec 13, 2024 07:58:13.391248941 CET	443	49986	34.107.243.93	192.168.2.11
Dec 13, 2024 07:58:13.391367912 CET	49986	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:58:13.397479057 CET	49986	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:58:13.397490025 CET	443	49986	34.107.243.93	192.168.2.11
Dec 13, 2024 07:58:13.397587061 CET	49986	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:58:13.397682905 CET	443	49986	34.107.243.93	192.168.2.11
Dec 13, 2024 07:58:13.398572922 CET	49986	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:58:13.401431084 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:13.521364927 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:13.724787951 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:13.729602098 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:13.768491983 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:13.850403070 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:14.044897079 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:14.085025072 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:23.728941917 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:23.848761082 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:24.045562983 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:24.165410042 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:33.857990980 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:33.978033066 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:34.174103022 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:34.294080973 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:43.986665964 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:44.106471062 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:44.302751064 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:44.423439026 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:54.114737988 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:54.234457016 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:58:54.431298971 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:58:54.550995111 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:04.244736910 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:04.364629984 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:04.561213970 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:04.681071043 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:14.374624968 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:14.494651079 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:14.691256046 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:14.811342955 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:24.502342939 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:24.622183084 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:24.818459988 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:24.938399076 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:33.914254904 CET	50030	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:59:33.914307117 CET	443	50030	34.107.243.93	192.168.2.11
Dec 13, 2024 07:59:33.914375067 CET	50030	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:59:33.915997982 CET	50030	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:59:33.916024923 CET	443	50030	34.107.243.93	192.168.2.11
Dec 13, 2024 07:59:34.631059885 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:34.750859022 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:34.947554111 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:35.067307949 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:35.130161047 CET	443	50030	34.107.243.93	192.168.2.11
Dec 13, 2024 07:59:35.130317926 CET	50030	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:59:35.136945009 CET	50030	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:59:35.136961937 CET	443	50030	34.107.243.93	192.168.2.11
Dec 13, 2024 07:59:35.137026072 CET	50030	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:59:35.137248993 CET	443	50030	34.107.243.93	192.168.2.11
Dec 13, 2024 07:59:35.139246941 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:35.139353037 CET	50030	443	192.168.2.11	34.107.243.93
Dec 13, 2024 07:59:35.258888006 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:35.453624010 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:35.457195044 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:35.502574921 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:35.577080965 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:35.772433996 CET	80	49757	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:35.819010019 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:45.460083008 CET	49758	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:45.579941988 CET	80	49758	34.107.221.82	192.168.2.11
Dec 13, 2024 07:59:45.776683092 CET	49757	80	192.168.2.11	34.107.221.82
Dec 13, 2024 07:59:45.896773100 CET	80	49757	34.107.221.82	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 13, 2024 07:56:45.909116030 CET	60141	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:45.910252094 CET	62689	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:45.911850929 CET	50238	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:45.916344881 CET	55994	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.047363997 CET	53	60141	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.050317049 CET	53	50238	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.053565025 CET	53	55994	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.330919027 CET	58437	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.334558010 CET	55648	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.334724903 CET	57142	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.414011002 CET	64268	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.470997095 CET	53	58437	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.471785069 CET	52999	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.472158909 CET	53	57142	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.472172022 CET	53	55648	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.476170063 CET	54834	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.476246119 CET	64426	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.551074028 CET	53	64268	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.609308958 CET	53	52999	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.610774994 CET	59903	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.613198042 CET	53	64426	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.613794088 CET	50698	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.614320040 CET	53	54834	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.614917994 CET	62105	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.749926090 CET	53	59903	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.750695944 CET	53	50698	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.753338099 CET	53	62105	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.769563913 CET	57259	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.769841909 CET	62875	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.770421028 CET	52567	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:46.907064915 CET	53	62875	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.907604933 CET	53	52567	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:46.986985922 CET	56203	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:47.107366085 CET	53	57259	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:47.124226093 CET	53	56203	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:47.156742096 CET	63523	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:47.294754982 CET	53	63523	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:47.894989967 CET	64051	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:48.170583010 CET	57767	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:48.171053886 CET	52051	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:48.257940054 CET	54267	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:48.309036016 CET	53	52051	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:48.309427023 CET	53	57767	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:48.316833019 CET	53	55647	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:48.710381985 CET	60137	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:48.849335909 CET	53	60137	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:48.851037979 CET	57044	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:49.053844929 CET	53	57044	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:49.054498911 CET	55101	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:49.194242954 CET	53	55101	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:50.905054092 CET	60623	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:51.043329954 CET	53	60623	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:51.049525023 CET	59284	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:51.053292036 CET	65409	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:51.190602064 CET	53	65409	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:51.192814112 CET	57605	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:51.243908882 CET	62652	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:51.279645920 CET	53	59284	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:51.283485889 CET	52276	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:51.330559969 CET	53	57605	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:51.381169081 CET	53	62652	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:51.422410011 CET	53	52276	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:52.786343098 CET	52450	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:52.923727036 CET	53	52450	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:52.926757097 CET	63563	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:53.063965082 CET	53	63563	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:56.464530945 CET	52247	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:56.500037909 CET	52311	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:56.607909918 CET	53	52247	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:56.637697935 CET	53	52311	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:56.642127991 CET	62211	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:56.779725075 CET	53	62211	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:59.683069944 CET	59847	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:59.683129072 CET	56619	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:59.683391094 CET	61753	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:59.820508957 CET	53	59847	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:59.820574999 CET	53	56619	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:59.821607113 CET	53	61753	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:59.824866056 CET	58412	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:59.825042963 CET	62084	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:59.825381041 CET	57900	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:59.962677956 CET	53	62084	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:59.963398933 CET	53	57900	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:59.963545084 CET	60706	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:59.963570118 CET	53	58412	1.1.1.1	192.168.2.11
Dec 13, 2024 07:56:59.963959932 CET	52123	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:56:59.964396954 CET	51391	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:00.101560116 CET	53	52123	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:00.102317095 CET	53	60706	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:00.102783918 CET	53	51391	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:00.351155996 CET	57201	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:00.353868961 CET	60937	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:00.488423109 CET	53	57201	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:00.491713047 CET	53	60937	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:01.212064981 CET	62911	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:01.212671995 CET	53155	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:01.349807978 CET	53	53155	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:01.350133896 CET	53	62911	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:01.350887060 CET	56894	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:01.351185083 CET	55371	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:01.489168882 CET	53	56894	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:01.492794037 CET	53	55371	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:08.917509079 CET	59214	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:09.054753065 CET	53	59214	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:12.862387896 CET	52977	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:12.982575893 CET	50387	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:13.000000954 CET	53	52977	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:13.021334887 CET	56293	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:13.120788097 CET	53	50387	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:13.122158051 CET	49644	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:13.158474922 CET	53	56293	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:13.159646988 CET	51716	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:13.261291027 CET	53	49644	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:13.262002945 CET	53223	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:13.298943043 CET	53	51716	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:13.302990913 CET	53308	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:13.400521994 CET	53	53223	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:13.441062927 CET	53	53308	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:30.478758097 CET	60192	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:30.616637945 CET	53	60192	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:43.280915022 CET	65457	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:57:43.435288906 CET	53	65457	1.1.1.1	192.168.2.11
Dec 13, 2024 07:57:44.527190924 CET	60075	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:58:12.029094934 CET	58206	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:58:12.168874025 CET	53	58206	1.1.1.1	192.168.2.11
Dec 13, 2024 07:58:12.170646906 CET	49465	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:58:12.308095932 CET	53	49465	1.1.1.1	192.168.2.11
Dec 13, 2024 07:58:13.402425051 CET	64366	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:59:33.631573915 CET	63381	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:59:33.774285078 CET	53	63381	1.1.1.1	192.168.2.11
Dec 13, 2024 07:59:33.775686026 CET	55503	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:59:33.912889004 CET	53	55503	1.1.1.1	192.168.2.11
Dec 13, 2024 07:59:33.913753033 CET	59014	53	192.168.2.11	1.1.1.1
Dec 13, 2024 07:59:34.053366899 CET	53	59014	1.1.1.1	192.168.2.11
Dec 13, 2024 07:59:35.139517069 CET	50563	53	192.168.2.11	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 13, 2024 07:56:45.909116030 CET	192.168.2.11	1.1.1.1	0x4246	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:45.910252094 CET	192.168.2.11	1.1.1.1	0x1b11	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:45.911850929 CET	192.168.2.11	1.1.1.1	0x1bfa	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:45.916344881 CET	192.168.2.11	1.1.1.1	0xe9c1	Standard query (0)	spocs.getpocket.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.330919027 CET	192.168.2.11	1.1.1.1	0xbbe0	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.334558010 CET	192.168.2.11	1.1.1.1	0xcee9	Standard query (0)	youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.334724903 CET	192.168.2.11	1.1.1.1	0x890	Standard query (0)	contile.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.414011002 CET	192.168.2.11	1.1.1.1	0xac78	Standard query (0)	content-signature-2.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.471785069 CET	192.168.2.11	1.1.1.1	0x2454	Standard query (0)	prod.detectportal.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 07:56:46.476170063 CET	192.168.2.11	1.1.1.1	0xb14d	Standard query (0)	contile.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:56:46.476246119 CET	192.168.2.11	1.1.1.1	0x9034	Standard query (0)	youtube.com	28	IN (0x0001)	false
Dec 13, 2024 07:56:46.610774994 CET	192.168.2.11	1.1.1.1	0xa512	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.613794088 CET	192.168.2.11	1.1.1.1	0x36df	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.614917994 CET	192.168.2.11	1.1.1.1	0xa2c7	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.769563913 CET	192.168.2.11	1.1.1.1	0xc952	Standard query (0)	prod.ads.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 07:56:46.769841909 CET	192.168.2.11	1.1.1.1	0xff1f	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 07:56:46.770421028 CET	192.168.2.11	1.1.1.1	0x60c3	Standard query (0)	prod.classify-client.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 07:56:46.986985922 CET	192.168.2.11	1.1.1.1	0x3460	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:47.156742096 CET	192.168.2.11	1.1.1.1	0xa99	Standard query (0)	prod.content-signature-chains.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 07:56:47.894989967 CET	192.168.2.11	1.1.1.1	0x5d6d	Standard query (0)	shavar.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:48.170583010 CET	192.168.2.11	1.1.1.1	0x6a89	Standard query (0)	example.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:48.171053886 CET	192.168.2.11	1.1.1.1	0x440e	Standard query (0)	ipv4only.arpa	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:48.257940054 CET	192.168.2.11	1.1.1.1	0xb29a	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:48.710381985 CET	192.168.2.11	1.1.1.1	0x5949	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:48.851037979 CET	192.168.2.11	1.1.1.1	0x1151	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:49.054498911 CET	192.168.2.11	1.1.1.1	0x91c5	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:56:50.905054092 CET	192.168.2.11	1.1.1.1	0xb1da	Standard query (0)	support.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.049525023 CET	192.168.2.11	1.1.1.1	0x87aa	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.053292036 CET	192.168.2.11	1.1.1.1	0xbf81	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.192814112 CET	192.168.2.11	1.1.1.1	0xe8cd	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:56:51.243908882 CET	192.168.2.11	1.1.1.1	0x70aa	Standard query (0)	firefox.settings.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.283485889 CET	192.168.2.11	1.1.1.1	0x9af8	Standard query (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 07:56:52.786343098 CET	192.168.2.11	1.1.1.1	0x2f0	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:52.926757097 CET	192.168.2.11	1.1.1.1	0xe90f	Standard query (0)	prod.remote-settings.prod.webservices.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 07:56:56.464530945 CET	192.168.2.11	1.1.1.1	0xbf34	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:56:56.500037909 CET	192.168.2.11	1.1.1.1	0xbee6	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:56.642127991 CET	192.168.2.11	1.1.1.1	0x158c	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:56:59.683069944 CET	192.168.2.11	1.1.1.1	0x4b0	Standard query (0)	www.youtube.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.683129072 CET	192.168.2.11	1.1.1.1	0xf3a7	Standard query (0)	www.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.683391094 CET	192.168.2.11	1.1.1.1	0xcec	Standard query (0)	www.wikipedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.824866056 CET	192.168.2.11	1.1.1.1	0xf61	Standard query (0)	dyna.wikimedia.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.825042963 CET	192.168.2.11	1.1.1.1	0x4b12	Standard query (0)	youtube-ui.l.google.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.825381041 CET	192.168.2.11	1.1.1.1	0xac6e	Standard query (0)	star-mini.c10r.facebook.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.963545084 CET	192.168.2.11	1.1.1.1	0x3a44	Standard query (0)	youtube-ui.l.google.com	28	IN (0x0001)	false
Dec 13, 2024 07:56:59.963959932 CET	192.168.2.11	1.1.1.1	0x6ca4	Standard query (0)	star-mini.c10r.facebook.com	28	IN (0x0001)	false
Dec 13, 2024 07:56:59.964396954 CET	192.168.2.11	1.1.1.1	0xd776	Standard query (0)	dyna.wikimedia.org	28	IN (0x0001)	false
Dec 13, 2024 07:57:00.351155996 CET	192.168.2.11	1.1.1.1	0xabdf	Standard query (0)	www.reddit.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:00.353868961 CET	192.168.2.11	1.1.1.1	0xd079	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:01.212064981 CET	192.168.2.11	1.1.1.1	0xd41	Standard query (0)	twitter.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:01.212671995 CET	192.168.2.11	1.1.1.1	0x4b89	Standard query (0)	reddit.map.fastly.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:01.350887060 CET	192.168.2.11	1.1.1.1	0xa2d3	Standard query (0)	reddit.map.fastly.net	28	IN (0x0001)	false
Dec 13, 2024 07:57:01.351185083 CET	192.168.2.11	1.1.1.1	0xc887	Standard query (0)	twitter.com	28	IN (0x0001)	false
Dec 13, 2024 07:57:08.917509079 CET	192.168.2.11	1.1.1.1	0x52c0	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:57:12.862387896 CET	192.168.2.11	1.1.1.1	0x2bf	Standard query (0)	prod.balrog.prod.cloudops.mozgcp.net	28	IN (0x0001)	false
Dec 13, 2024 07:57:12.982575893 CET	192.168.2.11	1.1.1.1	0x6af8	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.021334887 CET	192.168.2.11	1.1.1.1	0xe8e	Standard query (0)	normandy.cdn.mozilla.net	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.122158051 CET	192.168.2.11	1.1.1.1	0x5f67	Standard query (0)	services.addons.mozilla.org	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.159646988 CET	192.168.2.11	1.1.1.1	0xafa7	Standard query (0)	normandy-cdn.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.262002945 CET	192.168.2.11	1.1.1.1	0x9e48	Standard query (0)	services.addons.mozilla.org	28	IN (0x0001)	false
Dec 13, 2024 07:57:13.302990913 CET	192.168.2.11	1.1.1.1	0xaf57	Standard query (0)	normandy-cdn.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:57:30.478758097 CET	192.168.2.11	1.1.1.1	0x7dcc	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:57:43.280915022 CET	192.168.2.11	1.1.1.1	0xbfed	Standard query (0)	telemetry-incoming.r53-2.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:57:44.527190924 CET	192.168.2.11	1.1.1.1	0x7cb8	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:58:12.029094934 CET	192.168.2.11	1.1.1.1	0xf52f	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:58:12.170646906 CET	192.168.2.11	1.1.1.1	0x6518	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:58:13.402425051 CET	192.168.2.11	1.1.1.1	0x2a63	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:59:33.631573915 CET	192.168.2.11	1.1.1.1	0x99b8	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:59:33.775686026 CET	192.168.2.11	1.1.1.1	0x17ff	Standard query (0)	push.services.mozilla.com	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:59:33.913753033 CET	192.168.2.11	1.1.1.1	0x78d4	Standard query (0)	push.services.mozilla.com	28	IN (0x0001)	false
Dec 13, 2024 07:59:35.139517069 CET	192.168.2.11	1.1.1.1	0xd7cc	Standard query (0)	detectportal.firefox.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 13, 2024 07:56:32.868911982 CET	1.1.1.1	192.168.2.11	0x35ff	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:32.868911982 CET	1.1.1.1	192.168.2.11	0x35ff	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.046964884 CET	1.1.1.1	192.168.2.11	0x7175	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.047363997 CET	1.1.1.1	192.168.2.11	0x4246	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.050317049 CET	1.1.1.1	192.168.2.11	0x1bfa	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.053565025 CET	1.1.1.1	192.168.2.11	0xe9c1	No error (0)	spocs.getpocket.com	prod.ads.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:46.053565025 CET	1.1.1.1	192.168.2.11	0xe9c1	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.053677082 CET	1.1.1.1	192.168.2.11	0x1b11	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:46.053677082 CET	1.1.1.1	192.168.2.11	0x1b11	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.470997095 CET	1.1.1.1	192.168.2.11	0xbbe0	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.472158909 CET	1.1.1.1	192.168.2.11	0x890	No error (0)	contile.services.mozilla.com		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.472172022 CET	1.1.1.1	192.168.2.11	0xcee9	No error (0)	youtube.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.536405087 CET	1.1.1.1	192.168.2.11	0xce73	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:46.536405087 CET	1.1.1.1	192.168.2.11	0xce73	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.551074028 CET	1.1.1.1	192.168.2.11	0xac78	No error (0)	content-signature-2.cdn.mozilla.net	content-signature-chains.prod.autograph.services.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:46.551074028 CET	1.1.1.1	192.168.2.11	0xac78	No error (0)	content-signature-chains.prod.autograph.services.mozaws.net	prod.content-signature-chains.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:46.551074028 CET	1.1.1.1	192.168.2.11	0xac78	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.609308958 CET	1.1.1.1	192.168.2.11	0x2454	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 07:56:46.613198042 CET	1.1.1.1	192.168.2.11	0x9034	No error (0)	youtube.com			28	IN (0x0001)	false
Dec 13, 2024 07:56:46.749926090 CET	1.1.1.1	192.168.2.11	0xa512	No error (0)	prod.ads.prod.webservices.mozgcp.net		34.117.188.166	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.750695944 CET	1.1.1.1	192.168.2.11	0x36df	No error (0)	prod.classify-client.prod.webservices.mozgcp.net		35.190.72.216	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:46.753338099 CET	1.1.1.1	192.168.2.11	0xa2c7	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:47.124226093 CET	1.1.1.1	192.168.2.11	0x3460	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net		34.160.144.191	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:47.294754982 CET	1.1.1.1	192.168.2.11	0xa99	No error (0)	prod.content-signature-chains.prod.webservices.mozgcp.net			28	IN (0x0001)	false
Dec 13, 2024 07:56:48.033886909 CET	1.1.1.1	192.168.2.11	0x5d6d	No error (0)	shavar.services.mozilla.com	shavar.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:48.309036016 CET	1.1.1.1	192.168.2.11	0x440e	No error (0)	ipv4only.arpa		192.0.0.171	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:48.309036016 CET	1.1.1.1	192.168.2.11	0x440e	No error (0)	ipv4only.arpa		192.0.0.170	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:48.309427023 CET	1.1.1.1	192.168.2.11	0x6a89	No error (0)	example.org		93.184.215.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:48.395195961 CET	1.1.1.1	192.168.2.11	0xb29a	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:48.395195961 CET	1.1.1.1	192.168.2.11	0xb29a	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:48.849335909 CET	1.1.1.1	192.168.2.11	0x5949	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:49.053844929 CET	1.1.1.1	192.168.2.11	0x1151	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.031721115 CET	1.1.1.1	192.168.2.11	0x5848	No error (0)	balrog-aus5.r53-2.services.mozilla.com	prod.balrog.prod.cloudops.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:51.031721115 CET	1.1.1.1	192.168.2.11	0x5848	No error (0)	prod.balrog.prod.cloudops.mozgcp.net		35.244.181.201	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.043329954 CET	1.1.1.1	192.168.2.11	0xb1da	No error (0)	support.mozilla.org	prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:51.043329954 CET	1.1.1.1	192.168.2.11	0xb1da	No error (0)	prod.sumo.prod.webservices.mozgcp.net	us-west1.prod.sumo.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:51.043329954 CET	1.1.1.1	192.168.2.11	0xb1da	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.044277906 CET	1.1.1.1	192.168.2.11	0xbe0d	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.190602064 CET	1.1.1.1	192.168.2.11	0xbf81	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.279645920 CET	1.1.1.1	192.168.2.11	0x87aa	No error (0)	us-west1.prod.sumo.prod.webservices.mozgcp.net		34.149.128.2	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:51.381169081 CET	1.1.1.1	192.168.2.11	0x70aa	No error (0)	firefox.settings.services.mozilla.com	prod.remote-settings.prod.webservices.mozgcp.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:51.381169081 CET	1.1.1.1	192.168.2.11	0x70aa	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:52.923727036 CET	1.1.1.1	192.168.2.11	0x2f0	No error (0)	prod.remote-settings.prod.webservices.mozgcp.net		34.149.100.209	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:56.586483955 CET	1.1.1.1	192.168.2.11	0x443c	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:56.637697935 CET	1.1.1.1	192.168.2.11	0xbee6	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	www.youtube.com	youtube-ui.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		172.217.19.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		172.217.19.174	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820508957 CET	1.1.1.1	192.168.2.11	0x4b0	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820574999 CET	1.1.1.1	192.168.2.11	0xf3a7	No error (0)	www.facebook.com	star-mini.c10r.facebook.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:59.820574999 CET	1.1.1.1	192.168.2.11	0xf3a7	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.821607113 CET	1.1.1.1	192.168.2.11	0xcec	No error (0)	www.wikipedia.org	dyna.wikimedia.org		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:56:59.821607113 CET	1.1.1.1	192.168.2.11	0xcec	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.962677956 CET	1.1.1.1	192.168.2.11	0x4b12	No error (0)	youtube-ui.l.google.com		172.217.19.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.962677956 CET	1.1.1.1	192.168.2.11	0x4b12	No error (0)	youtube-ui.l.google.com		142.250.181.14	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.962677956 CET	1.1.1.1	192.168.2.11	0x4b12	No error (0)	youtube-ui.l.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.962677956 CET	1.1.1.1	192.168.2.11	0x4b12	No error (0)	youtube-ui.l.google.com		142.250.181.142	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.962677956 CET	1.1.1.1	192.168.2.11	0x4b12	No error (0)	youtube-ui.l.google.com		142.250.181.110	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.962677956 CET	1.1.1.1	192.168.2.11	0x4b12	No error (0)	youtube-ui.l.google.com		216.58.208.238	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.962677956 CET	1.1.1.1	192.168.2.11	0x4b12	No error (0)	youtube-ui.l.google.com		142.250.181.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.962677956 CET	1.1.1.1	192.168.2.11	0x4b12	No error (0)	youtube-ui.l.google.com		172.217.17.78	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.962677956 CET	1.1.1.1	192.168.2.11	0x4b12	No error (0)	youtube-ui.l.google.com		172.217.19.206	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.963398933 CET	1.1.1.1	192.168.2.11	0xac6e	No error (0)	star-mini.c10r.facebook.com		157.240.196.35	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:56:59.963570118 CET	1.1.1.1	192.168.2.11	0xf61	No error (0)	dyna.wikimedia.org		185.15.58.224	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:00.101560116 CET	1.1.1.1	192.168.2.11	0x6ca4	No error (0)	star-mini.c10r.facebook.com			28	IN (0x0001)	false
Dec 13, 2024 07:57:00.102317095 CET	1.1.1.1	192.168.2.11	0x3a44	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 07:57:00.102317095 CET	1.1.1.1	192.168.2.11	0x3a44	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 07:57:00.102317095 CET	1.1.1.1	192.168.2.11	0x3a44	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 07:57:00.102317095 CET	1.1.1.1	192.168.2.11	0x3a44	No error (0)	youtube-ui.l.google.com			28	IN (0x0001)	false
Dec 13, 2024 07:57:00.102783918 CET	1.1.1.1	192.168.2.11	0xd776	No error (0)	dyna.wikimedia.org			28	IN (0x0001)	false
Dec 13, 2024 07:57:00.488423109 CET	1.1.1.1	192.168.2.11	0xabdf	No error (0)	www.reddit.com	reddit.map.fastly.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:57:00.488423109 CET	1.1.1.1	192.168.2.11	0xabdf	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:00.488423109 CET	1.1.1.1	192.168.2.11	0xabdf	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:00.488423109 CET	1.1.1.1	192.168.2.11	0xabdf	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:00.488423109 CET	1.1.1.1	192.168.2.11	0xabdf	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:00.491713047 CET	1.1.1.1	192.168.2.11	0xd079	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:01.349807978 CET	1.1.1.1	192.168.2.11	0x4b89	No error (0)	reddit.map.fastly.net		151.101.1.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:01.349807978 CET	1.1.1.1	192.168.2.11	0x4b89	No error (0)	reddit.map.fastly.net		151.101.193.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:01.349807978 CET	1.1.1.1	192.168.2.11	0x4b89	No error (0)	reddit.map.fastly.net		151.101.65.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:01.349807978 CET	1.1.1.1	192.168.2.11	0x4b89	No error (0)	reddit.map.fastly.net		151.101.129.140	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:01.350133896 CET	1.1.1.1	192.168.2.11	0xd41	No error (0)	twitter.com		104.244.42.65	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.120788097 CET	1.1.1.1	192.168.2.11	0x6af8	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.120788097 CET	1.1.1.1	192.168.2.11	0x6af8	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.120788097 CET	1.1.1.1	192.168.2.11	0x6af8	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.120788097 CET	1.1.1.1	192.168.2.11	0x6af8	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.158474922 CET	1.1.1.1	192.168.2.11	0xe8e	No error (0)	normandy.cdn.mozilla.net	normandy-cdn.services.mozilla.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:57:13.158474922 CET	1.1.1.1	192.168.2.11	0xe8e	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.261291027 CET	1.1.1.1	192.168.2.11	0x5f67	No error (0)	services.addons.mozilla.org		151.101.129.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.261291027 CET	1.1.1.1	192.168.2.11	0x5f67	No error (0)	services.addons.mozilla.org		151.101.65.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.261291027 CET	1.1.1.1	192.168.2.11	0x5f67	No error (0)	services.addons.mozilla.org		151.101.1.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.261291027 CET	1.1.1.1	192.168.2.11	0x5f67	No error (0)	services.addons.mozilla.org		151.101.193.91	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.298943043 CET	1.1.1.1	192.168.2.11	0xafa7	No error (0)	normandy-cdn.services.mozilla.com		35.201.103.21	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:13.400521994 CET	1.1.1.1	192.168.2.11	0x9e48	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 07:57:13.400521994 CET	1.1.1.1	192.168.2.11	0x9e48	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 07:57:13.400521994 CET	1.1.1.1	192.168.2.11	0x9e48	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 07:57:13.400521994 CET	1.1.1.1	192.168.2.11	0x9e48	No error (0)	services.addons.mozilla.org			28	IN (0x0001)	false
Dec 13, 2024 07:57:16.114964008 CET	1.1.1.1	192.168.2.11	0x9978	No error (0)	a21ed24aedde648804e7-228765c84088fef4ff5e70f2710398e9.r17.cf1.rackcdn.com	a17.rackcdn.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:57:16.114964008 CET	1.1.1.1	192.168.2.11	0x9978	No error (0)	a17.rackcdn.com	a17.rackcdn.com.mdc.edgesuite.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:57:43.277123928 CET	1.1.1.1	192.168.2.11	0xf7be	No error (0)	telemetry-incoming.r53-2.services.mozilla.com		34.120.208.123	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:57:44.679752111 CET	1.1.1.1	192.168.2.11	0x7cb8	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:57:44.679752111 CET	1.1.1.1	192.168.2.11	0x7cb8	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:58:12.168874025 CET	1.1.1.1	192.168.2.11	0xf52f	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:58:13.540082932 CET	1.1.1.1	192.168.2.11	0x2a63	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:58:13.540082932 CET	1.1.1.1	192.168.2.11	0x2a63	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:59:33.774285078 CET	1.1.1.1	192.168.2.11	0x99b8	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:59:33.912889004 CET	1.1.1.1	192.168.2.11	0x17ff	No error (0)	push.services.mozilla.com		34.107.243.93	A (IP address)	IN (0x0001)	false
Dec 13, 2024 07:59:35.279732943 CET	1.1.1.1	192.168.2.11	0xd7cc	No error (0)	detectportal.firefox.com	detectportal.prod.mozaws.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 13, 2024 07:59:35.279732943 CET	1.1.1.1	192.168.2.11	0xd7cc	No error (0)	prod.detectportal.prod.cloudops.mozgcp.net		34.107.221.82	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

detectportal.firefox.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49753	34.107.221.82	80	7588	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:56:46.733508110 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:56:47.822405100 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 10:09:25 GMT Age: 74842 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49757	34.107.221.82	80	7588	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:56:48.518709898 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:56:49.604873896 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58749 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:56:50.907586098 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:56:51.222773075 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58751 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:56:51.325283051 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:56:51.640465975 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58751 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:56:56.847569942 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:56:57.163743019 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58757 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:56:59.999867916 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:57:00.315032959 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58760 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:57:02.670062065 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:57:02.985364914 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58762 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:57:09.248584986 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:57:09.563541889 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58769 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:57:10.579157114 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:57:10.894397020 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58770 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:57:14.432173967 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:57:14.747615099 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58774 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:57:15.910680056 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:57:16.225944042 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58776 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:57:26.229460955 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:57:32.015017986 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:57:32.330101967 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58792 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:57:42.338813066 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:57:44.865632057 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:57:45.180493116 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58805 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:57:55.191458941 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:05.321082115 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:13.729602098 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:58:14.044897079 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58833 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success
Dec 13, 2024 07:58:24.045562983 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:34.174103022 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:44.302751064 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:54.431298971 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:59:04.561213970 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:59:14.691256046 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:59:35.457195044 CET	305	OUT	GET /success.txt?ipv4 HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache
Dec 13, 2024 07:59:35.772433996 CET	216	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 8 Via: 1.1 google Date: Thu, 12 Dec 2024 14:37:40 GMT Age: 58915 Content-Type: text/plain Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 73 75 63 63 65 73 73 0a Data Ascii: success

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49758	34.107.221.82	80	7588	C:\Program Files\Mozilla Firefox\firefox.exe

Timestamp	Bytes transferred	Direction	Data
Dec 13, 2024 07:56:48.518892050 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:56:49.604069948 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70747 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:56:50.912266970 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:56:51.226809025 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70749 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:56:56.448374987 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:56:56.762839079 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70754 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:56:59.682459116 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:56:59.996965885 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70757 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:57:02.352221966 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:57:02.666925907 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70760 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:57:08.930402994 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:57:09.245295048 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70767 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:57:10.253763914 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:57:10.571659088 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70768 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:57:14.090024948 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:57:14.429444075 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70772 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:57:15.591871023 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:57:15.906303883 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70773 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:57:25.928544044 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:57:31.697638988 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:57:32.011955976 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70789 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:57:42.022253036 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:57:44.526731968 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:57:44.862680912 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70802 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:57:54.875332117 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:05.004555941 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:13.401431084 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:58:13.724787951 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70831 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>
Dec 13, 2024 07:58:23.728941917 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:33.857990980 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:43.986665964 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:58:54.114737988 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:59:04.244736910 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:59:14.374624968 CET	6	OUT	Data Raw: 00 Data Ascii:
Dec 13, 2024 07:59:35.139246941 CET	303	OUT	GET /canonical.html HTTP/1.1 Host: detectportal.firefox.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cache-Control: no-cache Pragma: no-cache Connection: keep-alive
Dec 13, 2024 07:59:35.453624010 CET	298	IN	HTTP/1.1 200 OK Server: nginx Content-Length: 90 Via: 1.1 google Date: Thu, 12 Dec 2024 11:17:42 GMT Age: 70913 Content-Type: text/html Cache-Control: public,must-revalidate,max-age=0,s-maxage=3600 Data Raw: 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 73 75 70 70 6f 72 74 2e 6d 6f 7a 69 6c 6c 61 2e 6f 72 67 2f 6b 62 2f 63 61 70 74 69 76 65 2d 70 6f 72 74 61 6c 22 2f 3e Data Ascii: <meta http-equiv="refresh" content="0;url=https://support.mozilla.org/kb/captive-portal"/>

Target ID:	0
Start time:	01:56:35
Start date:	13/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7f0000
File size:	971'776 bytes
MD5 hash:	2FC0741F6F4A989E9B55081F90DF178A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:56:36
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM firefox.exe /T
Imagebase:	0x6a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:56:36
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:56:38
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM chrome.exe /T
Imagebase:	0x6a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:56:38
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:56:39
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM msedge.exe /T
Imagebase:	0x6a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:56:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:56:39
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM opera.exe /T
Imagebase:	0x6a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	01:56:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	01:56:39
Start date:	13/12/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /F /IM brave.exe /T
Imagebase:	0x6a0000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:56:39
Start date:	13/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:56:39
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:56:39
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:56:39
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	01:56:41
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2296 -parentBuildID 20230927232528 -prefsHandle 2240 -prefMapHandle 2232 -prefsLen 25393 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6fc0976-fc69-4595-b16c-ab50f7aacfc8} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c53856ad10 socket
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	01:56:44
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4020 -parentBuildID 20230927232528 -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26343 -prefMapSize 238472 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91e915a1-b7c5-49c2-a37f-d429fc5789c3} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c54a67a210 rdd
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	01:56:50
Start date:	13/12/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5204 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 1536 -prefMapHandle 5208 -prefsLen 33559 -prefMapSize 238472 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07e6227e-e550-4669-9884-2f57c3500979} 7588 "\\.\pipe\gecko-crash-server-pipe.7588" 2c54ad81710 utility
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	1754
Total number of Limit Nodes:	51

Executed Functions

Function 007F42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007F430D

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

GetCurrentProcess.KERNEL32(?,0088CB64,00000000,?,?), ref: 007F4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 007F4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 007F4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007F4466
GetNativeSystemInfo.KERNEL32(?,?,?), ref: 007F4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 007F447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007F44A0

Strings

|O, xrefs: 008336F8
kernel32.dll, xrefs: 007F444F
GetNativeSystemInfo, xrefs: 007F4460

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 9acda2cf29a46a834c8434f82f4f8809a10400b45f82e4551a747745d6dcdad1
Instruction ID: 6e1d0167dfd72a9d429d843f5fd9daee738bf016c66778963f884d61feeb2a8c
Opcode Fuzzy Hash: 9acda2cf29a46a834c8434f82f4f8809a10400b45f82e4551a747745d6dcdad1
Instruction Fuzzy Hash: 94A1906191A2C4CFCF12D7B97CCD9A67EB4BB67308B1459A9D141A3B23D23C4908CB61

Function 007F42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007F50AA,?,?,00000000,00000000), ref: 007F42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007F50AA,?,?,00000000,00000000), ref: 007F42C9
LoadResource.KERNEL32(?,00000000,?,?,007F50AA,?,?,00000000,00000000,?,?,?,?,?,?,007F4F20), ref: 008335BE
SizeofResource.KERNEL32(?,00000000,?,?,007F50AA,?,?,00000000,00000000,?,?,?,?,?,?,007F4F20), ref: 008335D3
LockResource.KERNEL32(007F50AA,?,?,007F50AA,?,?,00000000,00000000,?,?,?,?,?,?,007F4F20,?), ref: 008335E6

Strings

SCRIPT, xrefs: 007F42BF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: b6b58bb2d8c312af0329d44118884a22609a88ee4a4ebb21a87213f56b735a2c
Instruction ID: 6403a9fb77d0009817d1d05be7e5a6938c08a72b9e634a8383f08f1337902b27
Opcode Fuzzy Hash: b6b58bb2d8c312af0329d44118884a22609a88ee4a4ebb21a87213f56b735a2c
Instruction Fuzzy Hash: 80117971200705BFEB218BA9DC48F277BBAFBC5B51F208169B512D66A0DB71E8008B70

Function 00832BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 007F2B6B

Part of subcall function 007F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008C1418,?,007F2E7F,?,?,?,00000000), ref: 007F3A78

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,008B2224), ref: 00832C10
ShellExecuteW.SHELL32(00000000,?,?,008B2224), ref: 00832C17

Strings

runas, xrefs: 00832C0B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 1b05870036b62731d34749baf3a4724fdeea0a1182f95b28667b8cbe27e59063
Instruction ID: de28ef242564d9c5fc6272fbe641f499f80d8fef5f894218af67873c341b536e
Opcode Fuzzy Hash: 1b05870036b62731d34749baf3a4724fdeea0a1182f95b28667b8cbe27e59063
Instruction Fuzzy Hash: BF11A131108209EACB15FF64D899ABDBBA5FF91350F44041DB796422A3DF39890A8752

Function 0085D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0085D501
Process32FirstW.KERNEL32(00000000,?), ref: 0085D50F
Process32NextW.KERNEL32(00000000,?), ref: 0085D52F
CloseHandle.KERNEL32(00000000), ref: 0085D5DC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: de49762939513176f2f2b0777eff4770d49253b07c33e2c2a2353353177eb3e4
Instruction ID: 82391a9ecba5af6e55eb9042123cdf7de4f203847e28f437787113906da2f4a1
Opcode Fuzzy Hash: de49762939513176f2f2b0777eff4770d49253b07c33e2c2a2353353177eb3e4
Instruction Fuzzy Hash: DA318471108304DFD310EF54C885ABFBBE8FF99354F14052DFA85862A1EB719949CBA2

Function 0085DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00835222), ref: 0085DBCE
GetFileAttributesW.KERNEL32(?), ref: 0085DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0085DBEE
FindClose.KERNEL32(00000000), ref: 0085DBFA

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: a19644be1e1ff6b97281f3540785ffb34d1e75f7fb7c8bc9d5732db77a34ec69
Instruction ID: d96a41829cb6bc01b92702f225ae6849d1b07a267e28fd394603835429b840e2
Opcode Fuzzy Hash: a19644be1e1ff6b97281f3540785ffb34d1e75f7fb7c8bc9d5732db77a34ec69
Instruction Fuzzy Hash: BAF03031814A149782306B7CAD4D8AE77ACFF41336B544706FC76C22E4EBB05D5986A5

Function 0084D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0084D220

Strings

%.3d, xrefs: 0084D22B
X64, xrefs: 0084D2A8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: bd3ba27dc7306d2f6206e2654dfd1abdc7be4c1c7e30ec4168911664d44b6ceb
Instruction ID: 6d2beafd851b1560f247ef14fa6042412c3cb2af693ca8de8dca6b2f968eeec7
Opcode Fuzzy Hash: bd3ba27dc7306d2f6206e2654dfd1abdc7be4c1c7e30ec4168911664d44b6ceb
Instruction Fuzzy Hash: 62D0127180832DEACBD096D4CC498B9B3BCFB08305F908452F906D1181D674E5086B61

Function 00814CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008228E9,?,00814CBE,008228E9,008B88B8,0000000C,00814E15,008228E9,00000002,00000000,?,008228E9), ref: 00814D09
TerminateProcess.KERNEL32(00000000,?,00814CBE,008228E9,008B88B8,0000000C,00814E15,008228E9,00000002,00000000,?,008228E9), ref: 00814D10
ExitProcess.KERNEL32 ref: 00814D22

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2cfb6385e8afc846466131f946ec3b290b6e125d91d634a944707aaeea6a8f7d
Instruction ID: fabbeb8717f4dcee93ac0b785d417d9d29fe0f83930dd205b00ca656e9419940
Opcode Fuzzy Hash: 2cfb6385e8afc846466131f946ec3b290b6e125d91d634a944707aaeea6a8f7d
Instruction Fuzzy Hash: 09E0B631000148ABCF11AF58ED09A983B6DFF41B81B104014FC09CA226CB35ED82DB90

Function 0084D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0084D28C

Strings

X64, xrefs: 0084D2A8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 7674ac8fbe4066663e75686acca58f2680f9acd1253dc0ac378a78c7db354fc0
Instruction ID: 506989ed0a10c8fa0ca3c8d2df8682cb0dd9f822d388b6bc5eccb827271143a3
Opcode Fuzzy Hash: 7674ac8fbe4066663e75686acca58f2680f9acd1253dc0ac378a78c7db354fc0
Instruction Fuzzy Hash: 71D0CAB580122DEBCB90CBA0EC88DDAB3BCFB14349F100292F10AE2140DB70A6488F20

Function 0087AFF9 Relevance: 24.4, APIs: 16, Instructions: 418
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0087B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0087B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0087B1D4
_wcslen.LIBCMT ref: 0087B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0087B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0087B236
_wcslen.LIBCMT ref: 0087B332

Part of subcall function 008605A7: GetStdHandle.KERNEL32(000000F6), ref: 008605C6

_wcslen.LIBCMT ref: 0087B34B
_wcslen.LIBCMT ref: 0087B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0087B3B6
GetLastError.KERNEL32(00000000), ref: 0087B407
CloseHandle.KERNEL32(?), ref: 0087B439
CloseHandle.KERNEL32(00000000), ref: 0087B44A
CloseHandle.KERNEL32(00000000), ref: 0087B45C
CloseHandle.KERNEL32(00000000), ref: 0087B46E
CloseHandle.KERNEL32(?), ref: 0087B4E3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 66d6256b4d93a2f2b4e35e99624e32ec4ec3c58e7dbc895b34a1e14670ee186b
Instruction ID: e8ae40dc32cc4be637aef4f30528d73fb8aa1242b3a1832ce730d5b5c59b9fdc
Opcode Fuzzy Hash: 66d6256b4d93a2f2b4e35e99624e32ec4ec3c58e7dbc895b34a1e14670ee186b
Instruction Fuzzy Hash: 1AF18931508204DFC724EF28C895B6ABBE6FF85314F18855DF9998B2A6CB34EC44CB52

Function 007FD730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007FD807
timeGetTime.WINMM ref: 007FDA07
Sleep.KERNEL32(0000000A), ref: 007FDBB1
Sleep.KERNEL32(0000000A), ref: 00842B76
GetExitCodeProcess.KERNEL32(?,?), ref: 00842C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00842C29
CloseHandle.KERNEL32(?), ref: 00842C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00842CA9

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: 4ec75331df57f691947b6555adacd498b3dc5efc0c2797323ca42beebc2f5268
Instruction ID: a6c798bba6e17df08d72ee7a13afebed081af5438276060e28ea9614e26f16be
Opcode Fuzzy Hash: 4ec75331df57f691947b6555adacd498b3dc5efc0c2797323ca42beebc2f5268
Instruction Fuzzy Hash: 5F42DD7060824ADFDB39DF28C888B7AB7A2FF46304F548519FA5587391D778AC44CB92

Function 007F2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007F2D07
RegisterClassExW.USER32(00000030), ref: 007F2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007F2D42
InitCommonControlsEx.COMCTL32(?), ref: 007F2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007F2D6F
LoadIconW.USER32(000000A9), ref: 007F2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007F2D94

Strings

0, xrefs: 007F2CE9
AutoIt v3 GUI, xrefs: 007F2D23
TaskbarCreated, xrefs: 007F2D37
+, xrefs: 007F2CF0

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 04640a94588beccf1f80ac401049e67e43e5e2cfc2ceb9f5cfcb166eb22cabec
Instruction ID: eb5743034202e74059348c424944df3af73a758d62da33153fa9d3bcb511decb
Opcode Fuzzy Hash: 04640a94588beccf1f80ac401049e67e43e5e2cfc2ceb9f5cfcb166eb22cabec
Instruction Fuzzy Hash: A421E3B1901218AFDF00EFA8EC89BDDBFB4FB09700F00811AF611A62A5D7B54544CFA1

Function 0083065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0083039A: CreateFileW.KERNEL32(00000000,00000000,?,00830704,?,?,00000000,?,00830704,00000000,0000000C), ref: 008303B7

GetLastError.KERNEL32 ref: 0083076F
__dosmaperr.LIBCMT ref: 00830776
GetFileType.KERNEL32(00000000), ref: 00830782
GetLastError.KERNEL32 ref: 0083078C
__dosmaperr.LIBCMT ref: 00830795
CloseHandle.KERNEL32(00000000), ref: 008307B5
CloseHandle.KERNEL32(?), ref: 008308FF
GetLastError.KERNEL32 ref: 00830931
__dosmaperr.LIBCMT ref: 00830938

Strings

H, xrefs: 008308BD

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 8cbe9bb6f1cbb6d05879b69a9209501b2b819dd466ffd302987dd8be3ad103e2
Instruction ID: e53c4444a945f3c50ef832a0ba4dfb10332630f82534deb20cb035b915018c8f
Opcode Fuzzy Hash: 8cbe9bb6f1cbb6d05879b69a9209501b2b819dd466ffd302987dd8be3ad103e2
Instruction Fuzzy Hash: 69A1D432A141188FDF19AF68D862BAE7BA0FB46324F14015DF815DB3D2DB319952CF92

Function 007F344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007F3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008C1418,?,007F2E7F,?,?,?,00000000), ref: 007F3A78

Part of subcall function 007F3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 007F3379

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007F356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0083318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008331CE
RegCloseKey.ADVAPI32(?), ref: 00833210
_wcslen.LIBCMT ref: 00833277
_wcslen.LIBCMT ref: 00833286

Strings

Software\AutoIt v3\AutoIt, xrefs: 007F3560
\, xrefs: 0083328C
Include, xrefs: 00833184, 008331C5
\Include\, xrefs: 007F3527

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 21a40482b48a7d8c19099f499001bea26142c2f96172e5580389fc50cdf3abc4
Instruction ID: 1d6c6474e3bacc921b0437adf672f3d286ed19667617ce62f86551820cad9386
Opcode Fuzzy Hash: 21a40482b48a7d8c19099f499001bea26142c2f96172e5580389fc50cdf3abc4
Instruction Fuzzy Hash: 787136714043459EC314EF69EC859ABBBF8FF84740F40452EF645D62B1EB789A48CBA2

Function 007F2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007F2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 007F2B9D
LoadIconW.USER32(00000063), ref: 007F2BB3
LoadIconW.USER32(000000A4), ref: 007F2BC5
LoadIconW.USER32(000000A2), ref: 007F2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007F2BEF
RegisterClassExW.USER32(?), ref: 007F2C40

Part of subcall function 007F2CD4: GetSysColorBrush.USER32(0000000F), ref: 007F2D07
Part of subcall function 007F2CD4: RegisterClassExW.USER32(00000030), ref: 007F2D31
Part of subcall function 007F2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007F2D42
Part of subcall function 007F2CD4: InitCommonControlsEx.COMCTL32(?), ref: 007F2D5F
Part of subcall function 007F2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007F2D6F
Part of subcall function 007F2CD4: LoadIconW.USER32(000000A9), ref: 007F2D85
Part of subcall function 007F2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007F2D94

Strings

0, xrefs: 007F2C0F
AutoIt v3, xrefs: 007F2C2F
#, xrefs: 007F2C16

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: f6edfc1d91c01d8d49fdcc496f8a9632729a5addd5215048d7b41e7ff012b59c
Instruction ID: 6138e4b5e3355443343ddc6d443785f4e1705c4021971909e7c33a3cd9a17b5a
Opcode Fuzzy Hash: f6edfc1d91c01d8d49fdcc496f8a9632729a5addd5215048d7b41e7ff012b59c
Instruction Fuzzy Hash: F9211A70E00358ABDF109FB9EC99EA97FB4FB49B54F00401AF600A67A1D7B94550CF90

Function 007F3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,007F316A,?,?), ref: 007F31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,007F316A,?,?), ref: 007F3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007F3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,007F316A,?,?), ref: 007F3232
CreatePopupMenu.USER32 ref: 007F3246
PostQuitMessage.USER32(00000000), ref: 007F3267

Strings

TaskbarCreated, xrefs: 007F322D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: f2479eee8767a6121ad21b04869de84d70edf2b6a15e7497ce31a50188f49408
Instruction ID: 62f3c3a7af7585839092f36862c976b3933225cbc707743b6232a6147bee3241
Opcode Fuzzy Hash: f2479eee8767a6121ad21b04869de84d70edf2b6a15e7497ce31a50188f49408
Instruction Fuzzy Hash: E741C33124060CEADF152B7C9D8EF793A69F746354F04012AFB16C63A2CB7DDA4497A2

Function 007F1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007F1459
CoUninitialize.COMBASE ref: 007F14F8
UnregisterHotKey.USER32(?), ref: 007F16DD
DestroyWindow.USER32(?), ref: 008324B9
FreeLibrary.KERNEL32(?), ref: 0083251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0083254B

Strings

close all, xrefs: 007F1454

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: c559d76fd5dc7e7e918ed144cc334a042df20254ebba9456025a5721625d5729
Instruction ID: 8e9cf1d6b82a61a3e4e167fbcf9c1f4dce0f5eac0353d10d398d6007242cec30
Opcode Fuzzy Hash: c559d76fd5dc7e7e918ed144cc334a042df20254ebba9456025a5721625d5729
Instruction Fuzzy Hash: 83D16A31701216CFCB29EF19C899A29F7A0FF45710F5441ADE64AAB352DB34AD12CF91

Function 0085DE27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000101,?), ref: 0085DE42
gethostname.WS2_32(?,00000100), ref: 0085DE5C
gethostbyname.WS2_32(?), ref: 0085DE69
inet_ntoa.WSOCK32(?), ref: 0085DEAB
_strcat.LIBCMT ref: 0085DEB9
WSACleanup.WSOCK32 ref: 0085DEDE

Strings

0.0.0.0, xrefs: 0085DE87

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 17bcdad717e548181d9a0476dd68f67e65d9dcd325cdda24355e575d56007f22
Instruction ID: 13042df2f3534482f2e664e7687b1543b7aae7a3db60da3c157299d7f8921a77
Opcode Fuzzy Hash: 17bcdad717e548181d9a0476dd68f67e65d9dcd325cdda24355e575d56007f22
Instruction Fuzzy Hash: 0D110A31904219AFDB30BB68DC0BEDE77ACFF11712F000169F945EA0A1EF748A858B61

Function 007F2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007F2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007F2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,007F1CAD,?), ref: 007F2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,007F1CAD,?), ref: 007F2CCF

Strings

edit, xrefs: 007F2CAC
AutoIt v3, xrefs: 007F2C89, 007F2C8E, 007F2C8F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: ee9b516b79a541b80abc447c42b7b96ae55a179cb42d776795333cd133f43fe8
Instruction ID: 50dca62593050c21813bffa3fdbe750f7173679974ff8d186c9efc1bbef6517a
Opcode Fuzzy Hash: ee9b516b79a541b80abc447c42b7b96ae55a179cb42d776795333cd133f43fe8
Instruction Fuzzy Hash: 49F0DA755402D07AEB311727AC8CE772EBDF7C7F54B01005AF900A2AA5C6791850DBB0

Function 0084D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0084D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0084D3BF
FreeLibrary.KERNEL32(00000000), ref: 0084D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0084D3B9
X64, xrefs: 0084D2A8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: c23d601989bddf1e9eeb505c7f100a6f030b26a0ff4a4ba155c6339fc25f154c
Instruction ID: 89771b85b3f47f334281943f84ef1600add1d2ff57e098555eb7099b8229aa89
Opcode Fuzzy Hash: c23d601989bddf1e9eeb505c7f100a6f030b26a0ff4a4ba155c6339fc25f154c
Instruction Fuzzy Hash: 39F05C3650673D9BC7712B144C9C95D3724FF12B09B548085F501E6359E770DC4887A2

Function 007F3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,007F3B0F,SwapMouseButtons,00000004,?), ref: 007F3B40
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,007F3B0F,SwapMouseButtons,00000004,?), ref: 007F3B61
RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,007F3B0F,SwapMouseButtons,00000004,?), ref: 007F3B83

Strings

Control Panel\Mouse, xrefs: 007F3B3E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a8616595fff3936cafda3cdbd314205aafa85f23237997616f04fd0cf817f317
Instruction ID: bcbe44f747ff20e40ea6a570d36fab28ab2ba081c8484262a56d0d6b22993b9c
Opcode Fuzzy Hash: a8616595fff3936cafda3cdbd314205aafa85f23237997616f04fd0cf817f317
Instruction Fuzzy Hash: 15112AB5511208FFDB218FA9DC54ABEB7B8EF04784B10445AA905D7210E2359E409760

Function 007FDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 008432B7

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: cfddb1eaddc9484b936c24857873bd7435d31dd6952736fa706ab2e0feb0bf82
Instruction ID: 96ea24ab0ce8ab7815d66f55651d1bb0a27d73ad25d11473119e0d35240fb7b2
Opcode Fuzzy Hash: cfddb1eaddc9484b936c24857873bd7435d31dd6952736fa706ab2e0feb0bf82
Instruction Fuzzy Hash: 5DC27C71A00219CFCB24CF58C884ABDB7B1FF19310F248569EA55AB3A1D779ED81CB91

Function 007FEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007FFE66

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: c3cbe45ab760d295d717aa7851b85b96fbc2b336360b873a29b078709b1444b7
Instruction ID: ef19418d9642fda26ab3f9ec1baa908e5b3af561c02ac7f7d8107bddf1c84836
Opcode Fuzzy Hash: c3cbe45ab760d295d717aa7851b85b96fbc2b336360b873a29b078709b1444b7
Instruction Fuzzy Hash: AEB25B74608349CFDB64CF18C480A2AB7F1FF95314F14486DEA959B3A1DB79E841CB52

Function 007F3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008333A2

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 007F3A04

Strings

Line: , xrefs: 008333EB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 4594284679755c36489df79e1dbd179b23c0b04a4905d77e6af6e43e7342c9d1
Instruction ID: 2ec95e827f3d243f762c6a76dd2d5dcdf1c72269de88168fd52c4e1166554318
Opcode Fuzzy Hash: 4594284679755c36489df79e1dbd179b23c0b04a4905d77e6af6e43e7342c9d1
Instruction Fuzzy Hash: 5131C471408348AAC721EB20DC49FFBB7E8BF41714F10452AF69982392DB789A48C7D2

Function 0080FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00810668

Part of subcall function 008132A4: RaiseException.KERNEL32(?,?,?,0081068A,?,008C1444,?,?,?,?,?,?,0081068A,007F1129,008B8738,007F1129), ref: 00813304

__CxxThrowException@8.LIBVCRUNTIME ref: 00810685

Strings

Unknown exception, xrefs: 00810692

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 86cd6474d87d8f6d9420ef93b544851fc9278f112a91fa359c6558b2250387e0
Instruction ID: 2ef841633e6e478c0988d8361a009086234c83e0ba669e79ac9773c7ebd9b16c
Opcode Fuzzy Hash: 86cd6474d87d8f6d9420ef93b544851fc9278f112a91fa359c6558b2250387e0
Instruction Fuzzy Hash: 7CF0A43490030DA7CB10B6A8DC46CDD776DFE10354B608131BA24D59D2EFB1DAD5C982

Function 007F10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F1BF4
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 007F1BFC
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F1C07
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F1C12
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 007F1C1A
Part of subcall function 007F1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 007F1C22

Part of subcall function 007F1B4A: RegisterWindowMessageW.USER32(00000004,?,007F12C4), ref: 007F1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007F136A
OleInitialize.OLE32 ref: 007F1388
CloseHandle.KERNEL32(00000000,00000000), ref: 008324AB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: eee2083ccfbe7a10e1d9eccb18b5fb336436850857d8cf743c6d80fd609892d1
Instruction ID: bde74dde62e66524fa86e46d790fddb407b16554f1975b512c8f44a8ad360c7c
Opcode Fuzzy Hash: eee2083ccfbe7a10e1d9eccb18b5fb336436850857d8cf743c6d80fd609892d1
Instruction Fuzzy Hash: 52719BB4915204CECB84EFB9ADCDE657AF1FB8A340754826ED60AC7363EB3484058F55

Function 0085C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 007F3A04

Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0085C259
KillTimer.USER32(?,00000001,?,?), ref: 0085C261
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0085C270

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconNotifyShell_Timer$Kill
String ID:
API String ID: 3500052701-0
Opcode ID: b8ab05db69641a15bb6257e4dd6d40a08ebc9e693f13957be49c8edd31325d1f
Instruction ID: 10f099c8bcb87fa2a4ca2dd91133580721176f55e22dedb60687f282131fe975
Opcode Fuzzy Hash: b8ab05db69641a15bb6257e4dd6d40a08ebc9e693f13957be49c8edd31325d1f
Instruction Fuzzy Hash: 12318470904344AFEB229F648895BE6BBECFB06309F00049EDA9AD7242C7745A88CF51

Function 008286AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,008285CC,?,008B8CC8,0000000C), ref: 00828704
GetLastError.KERNEL32(?,008285CC,?,008B8CC8,0000000C), ref: 0082870E
__dosmaperr.LIBCMT ref: 00828739

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 792127edb1bce42db0aee994f5a0c1374e00244dd470643864225b02b5c869a3
Instruction ID: 7447546a615ef91ac1d6982936299eec840679cafbbc1a8ebe8ae333280417d2
Opcode Fuzzy Hash: 792127edb1bce42db0aee994f5a0c1374e00244dd470643864225b02b5c869a3
Instruction Fuzzy Hash: 7A012F326065309ADA24A238784DB7E6759FBA2775F35011DFC14CB2D3DEB08CC18251

Function 007FDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON

Download Yara Rule

APIs

TranslateMessage.USER32(?), ref: 007FDB7B
DispatchMessageW.USER32(?), ref: 007FDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007FDB9F
Sleep.KERNEL32(0000000A), ref: 007FDBB1
TranslateAcceleratorW.USER32(?,?,?), ref: 00841CC9

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchPeekSleep
String ID:
API String ID: 3288985973-0
Opcode ID: c0f744fefee8731bf76b46871a798f992d91f8a20ac3c8ac4d29e75970ebdb0f
Instruction ID: febf5aef3ef8c02184025d024b89ef006b2dbde4a6eb665b34211c47133fc2a6
Opcode Fuzzy Hash: c0f744fefee8731bf76b46871a798f992d91f8a20ac3c8ac4d29e75970ebdb0f
Instruction Fuzzy Hash: 35F05E306483489BEB30DBA88C89FAA73B9FB45350F104A28E61AC30D0DB3494888B25

Function 00801310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008017F6

Strings

CALL, xrefs: 008017C6

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 2103f8d8581b18c51764a5839eefc445dcbc651d19cde8c65cae23fe51a0f757
Instruction ID: 09dcbea8708cea28c29af03f0c2d1494fbbc4e7329418584b2dfa743b4ad5ff1
Opcode Fuzzy Hash: 2103f8d8581b18c51764a5839eefc445dcbc651d19cde8c65cae23fe51a0f757
Instruction Fuzzy Hash: 3E229D706082459FCB54DF18C888A2ABBF1FF85324F14892DF596CB3A2D771E951CB92

Function 008001E0 Relevance: 3.6, APIs: 2, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e161294450451dd06d668e73dbffedbb42715fb04cf821d9a0ba924474a9c05
Instruction ID: 4cfbd835f287219626e8936c916f32c9fd156249acbc3b4ff9c8fb3d6b04cc8b
Opcode Fuzzy Hash: 3e161294450451dd06d668e73dbffedbb42715fb04cf821d9a0ba924474a9c05
Instruction Fuzzy Hash: 3932BB70A00609DFCB25DF58CC85BAEB7A1FF05314F158569E916EB2E2D731AD80CB92

Function 007F2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00832C8C

Part of subcall function 007F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007F3A97,?,?,007F2E7F,?,?,?,00000000), ref: 007F3AC2

Part of subcall function 007F2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 007F2DC4

Strings

X, xrefs: 00832C5A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: bc6f41539c357d08d13d291aabe164014c83586df9469cff5ba88084426009e1
Instruction ID: ed2720c9ece0b5d4b4657f8afacd0734037c3a925848977c1c56cc89da666d89
Opcode Fuzzy Hash: bc6f41539c357d08d13d291aabe164014c83586df9469cff5ba88084426009e1
Instruction Fuzzy Hash: B8218171A0029C9BCF01DF98C849BEE7BB8EF49704F108059E505E7345DBB85A898FA1

Function 0084D363 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,?), ref: 0084D375

Strings

X64, xrefs: 0084D2A8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ComputerName
String ID: X64
API String ID: 3545744682-893830106
Opcode ID: 5c21249d0c44b1c40138c83fbc0d3978df6d520ec131a9f5d33fefe80b2d726a
Instruction ID: 997630cd8d74a07cfe50d91b48b3b085a7a1070475e76eb99316f7d75930c6fb
Opcode Fuzzy Hash: 5c21249d0c44b1c40138c83fbc0d3978df6d520ec131a9f5d33fefe80b2d726a
Instruction Fuzzy Hash: B2D0C9B580532CEBCB90CB80DC88DD9B3BCFB04309F504191F006E2140D770A5489B20

Function 007F3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 007F3908

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 70cb26895030711768fa42e33d477190de0ff94b4d1670cdf9fead53a5b79ef5
Instruction ID: 8c2f66331486f673debe8cf0e8fd96505181099be411365fb48a030487075c45
Opcode Fuzzy Hash: 70cb26895030711768fa42e33d477190de0ff94b4d1670cdf9fead53a5b79ef5
Instruction Fuzzy Hash: 37316D705043059FD720DF64D888BA7BBF8FB49748F00092EFA9987351E779AA44CB52

Function 0080F645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0080F661

Part of subcall function 007FD730: GetInputState.USER32 ref: 007FD807

Sleep.KERNEL32(00000000), ref: 0084F2DE

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: InputSleepStateTimetime
String ID:
API String ID: 4149333218-0
Opcode ID: 17646dcc37cd61ce3ee02f6e670f98738207fcac0d1677ba14d4d0f66743e29c
Instruction ID: f4ff4878392cdea3d6a04a2026d5cc990fc7a9c1f8782ffef350db127699b259
Opcode Fuzzy Hash: 17646dcc37cd61ce3ee02f6e670f98738207fcac0d1677ba14d4d0f66743e29c
Instruction Fuzzy Hash: 93F08C31240209DFD350EF69D859B6AB7E9FF49760F004029E959C73A1DBB4A800CBA0

Function 007FB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007FBB4E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 8098ead4652e1c4f7cafc00af729aae067bc979a53f19f61d8ee1c9197478bf1
Instruction ID: 280bc3260bc888661eb23d8f694f67f2bde879715320d682b02e339caa4a0b0a
Opcode Fuzzy Hash: 8098ead4652e1c4f7cafc00af729aae067bc979a53f19f61d8ee1c9197478bf1
Instruction Fuzzy Hash: 1C32AD75A0020DDFDB10CF68C894ABAB7B5FF44354F14805AEA15AB3A1D7B8ED41CB91

Function 007F4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,007F4EDD,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E9C
Part of subcall function 007F4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007F4EAE
Part of subcall function 007F4E90: FreeLibrary.KERNEL32(00000000,?,?,007F4EDD,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4EFD

Part of subcall function 007F4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00833CDE,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E62
Part of subcall function 007F4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007F4E74
Part of subcall function 007F4E59: FreeLibrary.KERNEL32(00000000,?,?,00833CDE,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E87

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 17ad50ce30d85fc6355d0b43f47d8dc359a5a6db42ba710fbd54fd8254272067
Instruction ID: f629b831cf13ad31b7614ba089e295b901b36c3d97b75a8efc7d8b356a6447f9
Opcode Fuzzy Hash: 17ad50ce30d85fc6355d0b43f47d8dc359a5a6db42ba710fbd54fd8254272067
Instruction Fuzzy Hash: 2611E332610209EBCB14BB64DC0AFBE77E5AF40710F10842DF646E62C1EF789A45A7A0

Function 00828402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00828440

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 22f5b11b69c2ef2719bf652cd85ab14f88f28a655444a0971a33d345e40d15e8
Instruction ID: ba02098c7385ca140eb1430253c7d523c5bb3062336529f62cf29a3d5aaad34d
Opcode Fuzzy Hash: 22f5b11b69c2ef2719bf652cd85ab14f88f28a655444a0971a33d345e40d15e8
Instruction Fuzzy Hash: 5811067590410AEFCF05DF58E94199A7BF9FF48314F14405AF808EB312DA31DA218BA5

Function 00825000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00824C7D: RtlAllocateHeap.NTDLL(00000008,007F1129,00000000,?,00822E29,00000001,00000364,?,?,?,0081F2DE,00823863,008C1444,?,0080FDF5,?), ref: 00824CBE

_free.LIBCMT ref: 0082506C

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 1f97c7b39fb581679d559c53cb2dafc865bb666c8b19f6f9493af462b979c03c
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: DB012672244B146BE321CF69AC81A5AFBECFB89370F65051DE584C32C0EA30A885C6B4

Function 0081E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 1f5ba6f03b8dabbc4d317a22f264e0cbd184f63cb0637651bdd7d2de5b2be2ab
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: E6F0D132511A24AACA312E6DAC05BDA379CFF62334F500715FC26D22D2CB70A881C6A6

Function 00824C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,007F1129,00000000,?,00822E29,00000001,00000364,?,?,?,0081F2DE,00823863,008C1444,?,0080FDF5,?), ref: 00824CBE

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a9bb49166ed4a23e9780c2d62c12f7116888ae54ec76c0d4dc4ff509a4e1f0a9
Instruction ID: a6ef0fe8d4760cbebe4a3d758eed4a4d5a9e168933a92a5ee4d28b828b5148b4
Opcode Fuzzy Hash: a9bb49166ed4a23e9780c2d62c12f7116888ae54ec76c0d4dc4ff509a4e1f0a9
Instruction Fuzzy Hash: FEF0E931602234A7DB215F7EFC09F9A378CFF417B0B146121BC15E6285CAB1D88186F1

Function 00823820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d14d65e5dba3abe7ce1b15b2bdd6d411952eb47c31ca71232c0295a3a1b40e51
Instruction ID: b65f7404668e28e078df1a8830f7cf44f7cdd6c39ddaeaddfb348da399785dc5
Opcode Fuzzy Hash: d14d65e5dba3abe7ce1b15b2bdd6d411952eb47c31ca71232c0295a3a1b40e51
Instruction Fuzzy Hash: F2E0E53210023457D621267ABC14BDA375DFF42BB0F160030BD15DA681CB69DE8182E1

Function 007F4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4F6D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: b86b2b4f5ef02335a4b59b4bd0a9c9af918396dc41b5c44a66614d9ce73d107c
Instruction ID: 431307fa319e33964c24c654b0986aafd708ef6fa58371a869fa7b1e00b93fb7
Opcode Fuzzy Hash: b86b2b4f5ef02335a4b59b4bd0a9c9af918396dc41b5c44a66614d9ce73d107c
Instruction Fuzzy Hash: A5F03971505756CFDB349F64D494823BBE4FF14329328897EE2EE82621CB359888DF10

Function 00882A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00882A66

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: 213b61f92e40c6efab453c1ffffe3a7851abbf3d495e435e29e6d71bef0811dc
Instruction ID: 4c398a1968c740a3750e10bc76dbaa7a951d8c37541ab78d0a6282176a6990f2
Opcode Fuzzy Hash: 213b61f92e40c6efab453c1ffffe3a7851abbf3d495e435e29e6d71bef0811dc
Instruction Fuzzy Hash: 0CE04F7635012AAAC718FA34DC809FA775CFF50399710453AAC26C2141EB30999987A0

Function 007F30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 007F314E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: d7bdd2a069ebfe5a7fef7f6a0654bb6583e578f48b14208a383151ae13d45e79
Instruction ID: 35dbab3c7c150d755b22f86d0e3ae5735514620dac0cdbc22724aab5c7cd7c3e
Opcode Fuzzy Hash: d7bdd2a069ebfe5a7fef7f6a0654bb6583e578f48b14208a383151ae13d45e79
Instruction Fuzzy Hash: 66F037709143589FEB529B24DC89BD5BBBCBB0170CF0000E5A64896397D7745798CF51

Function 007F2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 007F2DC4

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 00f72b4bc199878ecdd9f5b7e4759cb0cd902aaec5b2a9f7b1820277c0d7b206
Instruction ID: f6cf4fa0a481ba3e814c062ef016e21110fd5f9f41e528c176d82a11799ef21d
Opcode Fuzzy Hash: 00f72b4bc199878ecdd9f5b7e4759cb0cd902aaec5b2a9f7b1820277c0d7b206
Instruction Fuzzy Hash: BCE0CD726001245BCB10925C9C09FEA77DDEFC8790F040071FD09D724CDA74AD808691

Function 007F2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007F3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007F3908

Part of subcall function 007FD730: GetInputState.USER32 ref: 007FD807

SetCurrentDirectoryW.KERNEL32(?), ref: 007F2B6B

Part of subcall function 007F30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 007F314E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 62b80d924dd35db7d507c2a6240908df2916f75b983a432c6021c36d4443f662
Instruction ID: 26b207e953431f9d54fe1eb384c75de9610b0da1e40d25aee5b435978f3bb37c
Opcode Fuzzy Hash: 62b80d924dd35db7d507c2a6240908df2916f75b983a432c6021c36d4443f662
Instruction Fuzzy Hash: 43E0863130424C86CA08BB75A89E97DA75AEBD2352F40153EF74287363DE3D894A4361

Function 0085DF27 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0085DF40

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: e9cb4c1136d388e9e616706e2a8c418118385a8e410645ced5962064271757fa
Instruction ID: 3522d5ec528aa9400ceb7cc45e1162e17a385cff1df9f9dda2b2319935204456
Opcode Fuzzy Hash: e9cb4c1136d388e9e616706e2a8c418118385a8e410645ced5962064271757fa
Instruction Fuzzy Hash: 69D05EE2A002286BDF60A6749C0DDF73AACD740210F0006A0786DD3156E934DD8486B0

Function 0083039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00830704,?,?,00000000,?,00830704,00000000,0000000C), ref: 008303B7

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 59ee99d94f4f68d738ea8022da8f4ee2c43462b26afedbfce6609e0e97e24434
Instruction ID: 1c0e5716b407b8bb30ceb2f083c61ed22da02c689a4fa340e1652895c5f636c5
Opcode Fuzzy Hash: 59ee99d94f4f68d738ea8022da8f4ee2c43462b26afedbfce6609e0e97e24434
Instruction Fuzzy Hash: 70D06C3204010DBBDF028F84DD46EDA3BAAFB48714F014000BE1856021C732E821AB90

Function 007F1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 007F1CBC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 7651f87d31b2cefdcd8d8db82d4bbe90d8f4032d35f840c1c30aae83b1e292fd
Instruction ID: 1541e781c9984c68a6dca7dd384d6b7482f6694353f5f5042645d513d36a93ab
Opcode Fuzzy Hash: 7651f87d31b2cefdcd8d8db82d4bbe90d8f4032d35f840c1c30aae83b1e292fd
Instruction Fuzzy Hash: 63C09236280304AFFA149B94BC8EF117774B788B04F048002F609A9AE3C3F22820EB60

Non-executed Functions

Function 00889576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0088961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0088965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0088969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008896C9
SendMessageW.USER32 ref: 008896F2
GetKeyState.USER32(00000011), ref: 0088978B
GetKeyState.USER32(00000009), ref: 00889798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 008897AE
GetKeyState.USER32(00000010), ref: 008897B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 008897E9
SendMessageW.USER32 ref: 00889810
SendMessageW.USER32(?,00001030,?,00887E95), ref: 00889918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0088992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00889941
SetCapture.USER32(?), ref: 0088994A
ClientToScreen.USER32(?,?), ref: 008899AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 008899BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008899D6
ReleaseCapture.USER32 ref: 008899E1
GetCursorPos.USER32(?), ref: 00889A19
ScreenToClient.USER32(?,?), ref: 00889A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00889A80
SendMessageW.USER32 ref: 00889AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00889AEB
SendMessageW.USER32 ref: 00889B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00889B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00889B4A
GetCursorPos.USER32(?), ref: 00889B68
ScreenToClient.USER32(?,?), ref: 00889B75
GetParent.USER32(?), ref: 00889B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00889BFA
SendMessageW.USER32 ref: 00889C2B
ClientToScreen.USER32(?,?), ref: 00889C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00889CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00889CDE
SendMessageW.USER32 ref: 00889D01
ClientToScreen.USER32(?,?), ref: 00889D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00889D82

Part of subcall function 00809944: GetWindowLongW.USER32(?,000000EB), ref: 00809952

GetWindowLongW.USER32(?,000000F0), ref: 00889E05

Strings

F, xrefs: 00889D07
@GUI_DRAGID, xrefs: 0088997D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 8213d21073070c427425462af7db6841e77f54aa149b9111cd4cd5f27bd23476
Instruction ID: 452b8bcfcf27f2270e3d772a8d75e67300a9fa699b9ef4e3c3b7952c91847be3
Opcode Fuzzy Hash: 8213d21073070c427425462af7db6841e77f54aa149b9111cd4cd5f27bd23476
Instruction Fuzzy Hash: CB427974204201AFDB25EF68CC88EBABBE5FF59314F18061DF699C72A1E731A854CB51

Function 00884873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 008848F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00884908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00884927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0088494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0088495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0088497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 008849AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 008849D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00884A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00884A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00884A7E
IsMenu.USER32(?), ref: 00884A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00884AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00884B20
GetWindowLongW.USER32(?,000000F0), ref: 00884B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00884BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00884C82
wsprintfW.USER32 ref: 00884CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00884CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00884CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00884D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00884D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00884D5A

Strings

%d/%02d/%02d, xrefs: 00884CA8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 3b6fdad8be53bd8aaab565e3c54aa4cd0cc3e59aa5a10e5679c2001bb28bc291
Instruction ID: 20fdcf87fa1ab7bb3e0173d165a6b6167d5c4dd330b3a59d1ecbc593db2ccc8c
Opcode Fuzzy Hash: 3b6fdad8be53bd8aaab565e3c54aa4cd0cc3e59aa5a10e5679c2001bb28bc291
Instruction Fuzzy Hash: 9312E07260025AABEB24AF28CC49FAE7BF8FF45714F105129F516EB2E1DB749940CB50

Function 0080F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0080F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0084F474
IsIconic.USER32(00000000), ref: 0084F47D
ShowWindow.USER32(00000000,00000009), ref: 0084F48A
SetForegroundWindow.USER32(00000000), ref: 0084F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0084F4AA
GetCurrentThreadId.KERNEL32 ref: 0084F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0084F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0084F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0084F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0084F4DE
SetForegroundWindow.USER32(00000000), ref: 0084F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0084F4F6
keybd_event.USER32(00000012,00000000), ref: 0084F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0084F50B
keybd_event.USER32(00000012,00000000), ref: 0084F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0084F519
keybd_event.USER32(00000012,00000000), ref: 0084F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0084F528
keybd_event.USER32(00000012,00000000), ref: 0084F52D
SetForegroundWindow.USER32(00000000), ref: 0084F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0084F557

Strings

Shell_TrayWnd, xrefs: 0084F46F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c8c6bba82d2cff48050b11d09e27b178cbbba14df23625ff165eea60afe75214
Instruction ID: 03908a943ed9bfee0c44a7d43d33dfed94cb39e6b35dbfdb3d2829d19dc09237
Opcode Fuzzy Hash: c8c6bba82d2cff48050b11d09e27b178cbbba14df23625ff165eea60afe75214
Instruction Fuzzy Hash: 12311E71A4021CBAEB216BB99C4AFBF7E6CFB44B50F110069FA05E61D1D6B15D00ABB0

Function 00851201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 008516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0085170D
Part of subcall function 008516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0085173A
Part of subcall function 008516C3: GetLastError.KERNEL32 ref: 0085174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00851286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 008512A8
CloseHandle.KERNEL32(?), ref: 008512B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008512D1
GetProcessWindowStation.USER32 ref: 008512EA
SetProcessWindowStation.USER32(00000000), ref: 008512F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00851310

Part of subcall function 008510BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008511FC), ref: 008510D4
Part of subcall function 008510BF: CloseHandle.KERNEL32(?,?,008511FC), ref: 008510E9

Strings

winsta0, xrefs: 008512CC
default, xrefs: 0085130B
, xrefs: 0085125A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: f13272d95f3fc8a9b1296eb15b26e7fbe0b4e9c2e64649741f6288d6a890a538
Instruction ID: 5b00675c4e0c84e43c4df60ba4ba7ed64ac35c1797abfcf2d60f969f96285579
Opcode Fuzzy Hash: f13272d95f3fc8a9b1296eb15b26e7fbe0b4e9c2e64649741f6288d6a890a538
Instruction Fuzzy Hash: D3817971900209AFDF219FA8DC89FEE7BBAFF04705F145129F910E62A0D7749948CB25

Function 00850B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00851114
Part of subcall function 008510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851120
Part of subcall function 008510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 0085112F
Part of subcall function 008510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851136
Part of subcall function 008510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0085114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00850BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00850C00
GetLengthSid.ADVAPI32(?), ref: 00850C17
GetAce.ADVAPI32(?,00000000,?), ref: 00850C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00850C6D
GetLengthSid.ADVAPI32(?), ref: 00850C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00850C8C
HeapAlloc.KERNEL32(00000000), ref: 00850C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00850CB4
CopySid.ADVAPI32(00000000), ref: 00850CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00850CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00850D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00850D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850D45
HeapFree.KERNEL32(00000000), ref: 00850D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850D55
HeapFree.KERNEL32(00000000), ref: 00850D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850D65
HeapFree.KERNEL32(00000000), ref: 00850D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00850D78
HeapFree.KERNEL32(00000000), ref: 00850D7F

Part of subcall function 00851193: GetProcessHeap.KERNEL32(00000008,00850BB1,?,00000000,?,00850BB1,?), ref: 008511A1
Part of subcall function 00851193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00850BB1,?), ref: 008511A8
Part of subcall function 00851193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00850BB1,?), ref: 008511B7

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 12deda7d980606a289d38b4f98b189666f938e97bb1e237f6643cd7587b04c4f
Instruction ID: 181c0eaee1ce065072441d2c1b5b000674b0e35a9a12e97a6979f318c49a053a
Opcode Fuzzy Hash: 12deda7d980606a289d38b4f98b189666f938e97bb1e237f6643cd7587b04c4f
Instruction Fuzzy Hash: 0A71497690020AABEF109FA8DC88BEEBBB8FF05341F144615ED14E6195D775A909CF60

Function 0086EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0088CC08), ref: 0086EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0086EB37
GetClipboardData.USER32(0000000D), ref: 0086EB43
CloseClipboard.USER32 ref: 0086EB4F
GlobalLock.KERNEL32(00000000), ref: 0086EB87
CloseClipboard.USER32 ref: 0086EB91
GlobalUnlock.KERNEL32(00000000), ref: 0086EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0086EBC9
GetClipboardData.USER32(00000001), ref: 0086EBD1
GlobalLock.KERNEL32(00000000), ref: 0086EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0086EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0086EC38
GetClipboardData.USER32(0000000F), ref: 0086EC44
GlobalLock.KERNEL32(00000000), ref: 0086EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0086EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0086EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0086ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0086ECF3
CountClipboardFormats.USER32 ref: 0086ED14
CloseClipboard.USER32 ref: 0086ED59

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 54d6cd98dda49b292154baddf555ac359b2ff9172c0108c571fbf7dcb91b197b
Instruction ID: b6d470770b4dce4f4e69b74431d041813e4256e94c17f359ca77a5db841a10c2
Opcode Fuzzy Hash: 54d6cd98dda49b292154baddf555ac359b2ff9172c0108c571fbf7dcb91b197b
Instruction Fuzzy Hash: FE61BD38204205AFD300EF28D888F7AB7A4FF84754F15451DF556D72A6DB31E945CBA2

Function 0086698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 008669BE
FindClose.KERNEL32(00000000), ref: 00866A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00866A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00866A75

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00866AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00866ADF

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00866B6A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00866B32
%02d, xrefs: 00866C00, 00866C0A, 00866C5A, 00866CAA, 00866CFA, 00866D4A
%4d, xrefs: 00866BB1
%03d, xrefs: 00866DA2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 9c220c5128943c4d6e1d9ff8bc5f1c10f1cd3cf9c42e65160959eda85f9c04eb
Instruction ID: 551dd84aef8e78e04dbfd2dfc10cc264c3609125d907578b5152065acb891de0
Opcode Fuzzy Hash: 9c220c5128943c4d6e1d9ff8bc5f1c10f1cd3cf9c42e65160959eda85f9c04eb
Instruction Fuzzy Hash: 87D15F72508344AEC314EBA4C995EBBB7ECFF88704F44491DF685D6291EB38DA04CB62

Function 00869642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00869663
GetFileAttributesW.KERNEL32(?), ref: 008696A1
SetFileAttributesW.KERNEL32(?,?), ref: 008696BB
FindNextFileW.KERNEL32(00000000,?), ref: 008696D3
FindClose.KERNEL32(00000000), ref: 008696DE
FindFirstFileW.KERNEL32(*.*,?), ref: 008696FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0086974A
SetCurrentDirectoryW.KERNEL32(008B6B7C), ref: 00869768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00869772
FindClose.KERNEL32(00000000), ref: 0086977F
FindClose.KERNEL32(00000000), ref: 0086978F

Strings

*.*, xrefs: 008696F5

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: d2151662db4c171d7e5bd7b2cb08a678617041f26a37a9189bb34ec002c49297
Instruction ID: 1ccfb0725b19f64627230e28482b463825a9d6a6f916d3993835ddda2bdebd87
Opcode Fuzzy Hash: d2151662db4c171d7e5bd7b2cb08a678617041f26a37a9189bb34ec002c49297
Instruction Fuzzy Hash: 8931A232541219AADF14AFB8EC49EEE77ACFF49320F114165F955E21D0EB34D9848B24

Function 0086979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 008697BE
FindNextFileW.KERNEL32(00000000,?), ref: 00869819
FindClose.KERNEL32(00000000), ref: 00869824
FindFirstFileW.KERNEL32(*.*,?), ref: 00869840
SetCurrentDirectoryW.KERNEL32(?), ref: 00869890
SetCurrentDirectoryW.KERNEL32(008B6B7C), ref: 008698AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 008698B8
FindClose.KERNEL32(00000000), ref: 008698C5
FindClose.KERNEL32(00000000), ref: 008698D5

Part of subcall function 0085DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0085DB00

Strings

*.*, xrefs: 0086983B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 4480899fb7edccde309861d01c4fd782b7f18e10721364b49ca4f398cac89fd8
Instruction ID: d0d1aa36acdee736134822a8220b7c2c97cfa356f283f5f9ed9deefce26774de
Opcode Fuzzy Hash: 4480899fb7edccde309861d01c4fd782b7f18e10721364b49ca4f398cac89fd8
Instruction Fuzzy Hash: 8A31C332540219AADB10AFB8EC48ADE77ACFF4A320F114165E890E32D4EB35D985CB60

Function 0085D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007F3A97,?,?,007F2E7F,?,?,?,00000000), ref: 007F3AC2

Part of subcall function 0085E199: GetFileAttributesW.KERNEL32(?,0085CF95), ref: 0085E19A

FindFirstFileW.KERNEL32(?,?), ref: 0085D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0085D1DD
MoveFileW.KERNEL32(?,?), ref: 0085D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0085D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0085D237

Part of subcall function 0085D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0085D21C,?,?), ref: 0085D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0085D253
FindClose.KERNEL32(00000000), ref: 0085D264

Strings

\*.*, xrefs: 0085D0CD, 0085D0D6, 0085D0EB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 9f05fba601fd3c683c81102937ad19274438422bec1c3873234666005d618cda
Instruction ID: f1a9139ab18968e9e6ed5ca0b2727ee5aa881cf50519a068748a65e7fbcbb45d
Opcode Fuzzy Hash: 9f05fba601fd3c683c81102937ad19274438422bec1c3873234666005d618cda
Instruction Fuzzy Hash: 9B61463180120DEACF15EBA4CA969FDB7B5FF15342F204165E906B7291EB34AF09CB61

Function 0086ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0086ED91
EmptyClipboard.USER32 ref: 0086ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0086EDAC
CloseClipboard.USER32 ref: 0086EEA3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 52fe6af8966039459df7f5a61e2e46ec45ccd2e01e30d3ac03dee4381aeb76a3
Instruction ID: 7e2ab05b68a360ee4013a64328ab63ff673018e1c0ada7bbff96724b4f1892da
Opcode Fuzzy Hash: 52fe6af8966039459df7f5a61e2e46ec45ccd2e01e30d3ac03dee4381aeb76a3
Instruction Fuzzy Hash: 09416C39604611AFE721DF19E888B29BBE5FF44328F15C099E419CB7A2D776EC41CB90

Function 0085E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 008516C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0085170D
Part of subcall function 008516C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0085173A
Part of subcall function 008516C3: GetLastError.KERNEL32 ref: 0085174A

ExitWindowsEx.USER32(?,00000000), ref: 0085E932

Strings

SeShutdownPrivilege, xrefs: 0085E902
, xrefs: 0085E920
, xrefs: 0085E95C
@, xrefs: 0085E925

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 02de051166edab191b0b2ed7ec5c48c962eb93eeadea4a5a6120e27e856febfa
Instruction ID: faee2b8ebb1520e5a88197c0d81cc206d709f0d998799e9b7bad34bffd8e7c14
Opcode Fuzzy Hash: 02de051166edab191b0b2ed7ec5c48c962eb93eeadea4a5a6120e27e856febfa
Instruction Fuzzy Hash: 3C014E72A10214AFEF182678AC8AFBF769CFB14747F140422FC13E21D1D6745D4882A1

Function 00871204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00871276
WSAGetLastError.WSOCK32 ref: 00871283
bind.WSOCK32(00000000,?,00000010), ref: 008712BA
WSAGetLastError.WSOCK32 ref: 008712C5
closesocket.WSOCK32(00000000), ref: 008712F4
listen.WSOCK32(00000000,00000005), ref: 00871303
WSAGetLastError.WSOCK32 ref: 0087130D
closesocket.WSOCK32(00000000), ref: 0087133C

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: ebaf3ecdc27fdb900ab2d2e097a78a764a1cba26729c0208983ad331d2a4b3d0
Instruction ID: e177f127aea54ff922bbdc57bbd0d278a9e98b15ace0c2b4e211c4de672ec360
Opcode Fuzzy Hash: ebaf3ecdc27fdb900ab2d2e097a78a764a1cba26729c0208983ad331d2a4b3d0
Instruction Fuzzy Hash: E7414C316001049FDB10DF68C488B29BBE6FF46318F18C198E95A9B79AC775ED85CBA1

Function 0082B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0082B9D4
_free.LIBCMT ref: 0082B9F8
_free.LIBCMT ref: 0082BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00893700), ref: 0082BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0082BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008C1270,000000FF,?,0000003F,00000000,?), ref: 0082BC36
_free.LIBCMT ref: 0082BD4B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 012dd405bd6a5d8f5d9a8051de7bc5b8b057a339544c774e0d3205b48584f2ef
Instruction ID: 2910c18afd50112d52a976539c39d89bd4b05f086da2d6c46a6daa0a5428c3e7
Opcode Fuzzy Hash: 012dd405bd6a5d8f5d9a8051de7bc5b8b057a339544c774e0d3205b48584f2ef
Instruction Fuzzy Hash: A0C13A71906229AFCB10DF68BC45BAEBBB8FF46320F14416AE495D7252EB309EC1C751

Function 0085D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007F3A97,?,?,007F2E7F,?,?,?,00000000), ref: 007F3AC2

Part of subcall function 0085E199: GetFileAttributesW.KERNEL32(?,0085CF95), ref: 0085E19A

FindFirstFileW.KERNEL32(?,?), ref: 0085D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0085D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0085D481
FindClose.KERNEL32(00000000), ref: 0085D498
FindClose.KERNEL32(00000000), ref: 0085D4A1

Strings

\*.*, xrefs: 0085D3F2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: ac080be3be8cd590586cebcc46e5f86019bbfe2ff18abccafcb77d09635c8235
Instruction ID: cbf03d32c1d50d6ad2c9ca067983b3084ef45c6da1a477832900e42336aa5efa
Opcode Fuzzy Hash: ac080be3be8cd590586cebcc46e5f86019bbfe2ff18abccafcb77d09635c8235
Instruction Fuzzy Hash: 89319E71008349EBC311EF64C8958BFB7E8BE91305F404A2DF9D592291EB34AA0DC767

Function 0082E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0082E645

Strings

1#SNAN, xrefs: 0082F844
1#INF, xrefs: 0082F852
1#QNAN, xrefs: 0082F84B
1#IND, xrefs: 0082F83D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2ffbd6c7e5528cb2bf8b66ba5e3b391e9bdb32b7fe46bbd3bfdc15c3f3bd0eeb
Instruction ID: fcfcfe5033c44d60321c41d05cea7e6624bf99a94c3a7399cca0f986f6cd0166
Opcode Fuzzy Hash: 2ffbd6c7e5528cb2bf8b66ba5e3b391e9bdb32b7fe46bbd3bfdc15c3f3bd0eeb
Instruction Fuzzy Hash: B9C21671E086288FDB25CE28AD407EAB7B5FB48305F1441EAD94EE7241E774AE81CF44

Function 0086648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008664DC
CoInitialize.OLE32(00000000), ref: 00866639
CoCreateInstance.OLE32(0088FCF8,00000000,00000001,0088FB68,?), ref: 00866650
CoUninitialize.OLE32 ref: 008668D4

Strings

.lnk, xrefs: 008664BA, 00866524, 008665E0

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: d68d7842dddb9672527d4f9bd803d88347f6dc96e70c4dc4b54ca3a1ef4dd96e
Instruction ID: c95327331907631dd41fc144a20d5db873b6527502a73b2625ed430f6f5c2493
Opcode Fuzzy Hash: d68d7842dddb9672527d4f9bd803d88347f6dc96e70c4dc4b54ca3a1ef4dd96e
Instruction Fuzzy Hash: A1D159715082459FC304EF24C885A6BB7E9FF94704F14496DF696CB2A1EB70E905CBA2

Function 008722DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 008722E8

Part of subcall function 0086E4EC: GetWindowRect.USER32(?,?), ref: 0086E504

GetDesktopWindow.USER32 ref: 00872312
GetWindowRect.USER32(00000000), ref: 00872319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00872355
GetCursorPos.USER32(?), ref: 00872381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008723DF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 1f7bb3e9ce0146d9a10033055529047cea5a9f36c9bba73cfc16d385d3ae49b4
Instruction ID: af8497e8e04170fae1d9a7cb0c1dce4f41790085cc6bf60330fc8ce964bd4641
Opcode Fuzzy Hash: 1f7bb3e9ce0146d9a10033055529047cea5a9f36c9bba73cfc16d385d3ae49b4
Instruction Fuzzy Hash: 9E31D072504315AFDB20DF58D845B5BBBAAFF84314F004919F989D7291DB34EA08CBA2

Function 00869B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00869B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00869C8B

Part of subcall function 00863874: GetInputState.USER32 ref: 008638CB
Part of subcall function 00863874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00863966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00869BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00869C75

Strings

*.*, xrefs: 00869B5D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 1692ffb75ff3447a77d469b3144ad852d2c9153f50bac02d1d3c7915e50224d5
Instruction ID: 55954d69814c4a3cef8d6c4244639d5c0c7a836225c0d05d752f6c49998924c9
Opcode Fuzzy Hash: 1692ffb75ff3447a77d469b3144ad852d2c9153f50bac02d1d3c7915e50224d5
Instruction Fuzzy Hash: 25416D7190020AAFCF15DF64C989AEEBBB8FF05350F244055E955E22D1EB349E84CF61

Function 0080997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 00809A4E
GetSysColor.USER32(0000000F), ref: 00809B23
SetBkColor.GDI32(?,00000000), ref: 00809B36

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 0718cdb50abbc092f3323dfa7e499283f64da17b2e739d29f959db2028d7d930
Instruction ID: 0a65dfa67c8a251faf71c5959881d6799336fbecbf1df792c3bc8c89fec3bdc3
Opcode Fuzzy Hash: 0718cdb50abbc092f3323dfa7e499283f64da17b2e739d29f959db2028d7d930
Instruction Fuzzy Hash: 27A1087030946CAEE768AA2C8C98E7B3A9DFB86354F150119F582D66D3CB35DD01C376

Function 00871806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0087304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0087307A
Part of subcall function 0087304E: _wcslen.LIBCMT ref: 0087309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0087185D
WSAGetLastError.WSOCK32 ref: 00871884
bind.WSOCK32(00000000,?,00000010), ref: 008718DB
WSAGetLastError.WSOCK32 ref: 008718E6
closesocket.WSOCK32(00000000), ref: 00871915

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 6a5cb8da466419056111ab98c8222966eef69cf30138ee2ef1a36cbbbe82a819
Instruction ID: 0d6d82bd09b6509648f919a263bc51d44dde548b96babcc2001719084bbb6140
Opcode Fuzzy Hash: 6a5cb8da466419056111ab98c8222966eef69cf30138ee2ef1a36cbbbe82a819
Instruction Fuzzy Hash: 7A519471A002049FDB10AF28C88AF3A77E5EB44718F188058FA099F3D7C775ED418BA1

Function 00881C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00881CC0
IsWindowEnabled.USER32 ref: 00881CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00881CDB
IsIconic.USER32 ref: 00881CE9
IsZoomed.USER32 ref: 00881CF7

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 88847fdda8af2d4e3622cf457539e5bcb4ffab940907261a0417e11ebd2c26c9
Instruction ID: 9a5df8f22728913ac42345a6dd1376a8df4efc8d735b8016fedf1cd6f5b1500d
Opcode Fuzzy Hash: 88847fdda8af2d4e3622cf457539e5bcb4ffab940907261a0417e11ebd2c26c9
Instruction Fuzzy Hash: 672186317402119FDB21AF1AD848B667BEAFF95315B198068E845CB352DB75DC43CB90

Function 007F8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 007F83FA
VUUU, xrefs: 007F83E8
VUUU, xrefs: 00835DF0
VUUU, xrefs: 007F843C
ERCP, xrefs: 007F813C

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 43f640ea131058fe7d241bcbb7e640ac6bde98ae42144db810fdfc694605e3a5
Instruction ID: a54a845e8566702c27d4aec5f390295341f7f492e48caa71b0a1c86a672d89aa
Opcode Fuzzy Hash: 43f640ea131058fe7d241bcbb7e640ac6bde98ae42144db810fdfc694605e3a5
Instruction Fuzzy Hash: A0A25970A0061ECBDF64CF58C8407BEB7B1FB94314F2481AAE915EB385EB749D918B91

Function 0085AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0085AAAC
SetKeyboardState.USER32(00000080), ref: 0085AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0085AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0085AB88

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: af6b6818db082854e6ee0de20c85cbb3247e3507d245d04d322a5470cc73d01d
Instruction ID: 39009bb5164a61b242646ee64f3d86554842c0ff8bd4faff882414b5db37bc8c
Opcode Fuzzy Hash: af6b6818db082854e6ee0de20c85cbb3247e3507d245d04d322a5470cc73d01d
Instruction Fuzzy Hash: 4531EC30A40258AEEF39CA688C85BFA77A6FB54322F04431AF981D61D1D3758949C7A3

Function 0086CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0086CE89
GetLastError.KERNEL32(?,00000000), ref: 0086CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0086CEFE

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a0887ca5bcc33ecfa113230d8e0bb7f3d741ade2927f8f5b1961b33e94b0af0e
Instruction ID: 38bffa5bda4c9d95bb9745629fd5600957b0de705ea5436700ac881bc8cdfa16
Opcode Fuzzy Hash: a0887ca5bcc33ecfa113230d8e0bb7f3d741ade2927f8f5b1961b33e94b0af0e
Instruction Fuzzy Hash: 45219DB16003059BDB20DF69D988BA6B7FCFF50358F11441EE686D2151EB75EE44CB60

Function 00858298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 008582AA

Strings

(, xrefs: 008582F0
|, xrefs: 008582DA

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 68242cbec21e49122e917cb8aacd352af8729abd810f996071c6dacef4c4e99b
Instruction ID: cb539449fc29259e60ec4d182003fe68c9a6f9097a15ce7bbd90077f9955fa7a
Opcode Fuzzy Hash: 68242cbec21e49122e917cb8aacd352af8729abd810f996071c6dacef4c4e99b
Instruction Fuzzy Hash: 33323775A00605DFCB28CF59C4819AAB7F0FF48710B15C46EE99AEB3A1EB70E941CB40

Function 00865C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00865CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00865D17
FindClose.KERNEL32(?), ref: 00865D5F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 954fbf81c01dfeb56f90830fd6661d1c26665174c99e35475cd66a248c5a82ac
Instruction ID: 51ac26419e66d060db831ffd65e80f0d07dcae6dc06ca63b2d2f48e4ef195bcf
Opcode Fuzzy Hash: 954fbf81c01dfeb56f90830fd6661d1c26665174c99e35475cd66a248c5a82ac
Instruction Fuzzy Hash: 57518975604A059FC714CF28C498A9AB7E4FF49324F15856DE95ACB3A2CB30ED44CB91

Function 00822622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0082271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00822724
UnhandledExceptionFilter.KERNEL32(?), ref: 00822731

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: afc4be70d71d6650e17145774bc7cac9cc0018c8868660d0cb0a8c1dac1ae6fd
Instruction ID: 5903b2b570547aaac01ebd2a10ee1a39c02f8c17c5f81c8687202e5d092d33b5
Opcode Fuzzy Hash: afc4be70d71d6650e17145774bc7cac9cc0018c8868660d0cb0a8c1dac1ae6fd
Instruction Fuzzy Hash: 1531B475911228ABCB21DF68DC897D9B7B8FF08310F5041EAE41CA6261E7709FC18F55

Function 008651CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008651DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00865238
SetErrorMode.KERNEL32(00000000), ref: 008652A1

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 57dffb82a43d56be12cf5aed171ae1dae623d2330f811196c0e46c4a952c5a82
Instruction ID: 53f1ab243bb43b2118e91414614de04e0471b07b8a2db7b7c73e5823b177aac4
Opcode Fuzzy Hash: 57dffb82a43d56be12cf5aed171ae1dae623d2330f811196c0e46c4a952c5a82
Instruction Fuzzy Hash: E3317C35A00508DFDB00DF54D8C8EADBBB4FF08314F098099E905AB3A2CB35E856CBA0

Function 008516C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0080FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00810668
Part of subcall function 0080FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00810685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0085170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0085173A
GetLastError.KERNEL32 ref: 0085174A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: e4d3411290b54efca3a17818339a42256ac420972b74cd99e8c2b2e40946d603
Instruction ID: 7fbf9638b0dc111fee8b8f5f9f64458610e302d8ed92c047b0612d7b552bf895
Opcode Fuzzy Hash: e4d3411290b54efca3a17818339a42256ac420972b74cd99e8c2b2e40946d603
Instruction Fuzzy Hash: C611C4B1400305AFDB189F68DC86E6BB7F9FB44755B20C52EE45693645EB70BC458B20

Function 0085D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0085D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0085D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0085D650

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: d5065f7d2170ef2bb8648c8b8b202f0e7e12dd98320074a661e17a53eb892e70
Instruction ID: 3c2be01ba74565a13f77760302587509a673a84c845a231054061c5ee258ab13
Opcode Fuzzy Hash: d5065f7d2170ef2bb8648c8b8b202f0e7e12dd98320074a661e17a53eb892e70
Instruction Fuzzy Hash: 33113C75E05228BBDB208F999C45FAFBBBCFB45B50F108115FD04E7294D6705A058BA1

Function 00851663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0085168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008516A1
FreeSid.ADVAPI32(?), ref: 008516B1

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: d3e2bbc6fab3aa05c0c6e8384e16f6c4a17ee56fc3ea35fc37d65ed87889c561
Instruction ID: 16e9bd8efd5483516b32e922f0cfbf7f73c04eb1088f3b87309911934795ee7d
Opcode Fuzzy Hash: d3e2bbc6fab3aa05c0c6e8384e16f6c4a17ee56fc3ea35fc37d65ed87889c561
Instruction Fuzzy Hash: 6BF0F475950309FBDF00DFE49C89EAEBBBCFB08645F504565E901E2181E774AA449B60

Function 0082C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0082C36C

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 95268d91dd62c8c567297fdacc9246e200a2f9be8b304952ab8d424c94abbb7f
Instruction ID: 76a900ab7afe08c1a6f1ca15d2f2a6c9fca63e2b0b9cd80b7508f1c84f13fd6b
Opcode Fuzzy Hash: 95268d91dd62c8c567297fdacc9246e200a2f9be8b304952ab8d424c94abbb7f
Instruction Fuzzy Hash: 47411576900229ABCB20EFB9EC49EBF77B8FB84354F104669F905D7280E6709D818B50

Function 0081CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: d7909ed6b900624728f3d56629a870ef659c35cab81992db92fd09a2cfdf7f8e
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 57021B71E402199BDF14CFA9D8806EDBBF5FF88324F25816AD819E7380D731AE418B94

Function 008668EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00866918
FindClose.KERNEL32(00000000), ref: 00866961

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8b346f09b229552b8cc977085a66d8af3eadbb01a92fadef011409f669a48aa4
Instruction ID: b818da48afdb076880d6d8a88e3d67ade6aec83a96b122cea4b2ee14a72b3961
Opcode Fuzzy Hash: 8b346f09b229552b8cc977085a66d8af3eadbb01a92fadef011409f669a48aa4
Instruction Fuzzy Hash: F411D0316042459FC710CF29C488A26BBE4FF84328F05C699E8698F3A2D734EC05CB90

Function 008637B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00874891,?,?,00000035,?), ref: 008637E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00874891,?,?,00000035,?), ref: 008637F4

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 5f7b4833af870cf626b69f3c9712a8c69c81d14ab7130acc061d08613f57344d
Instruction ID: 1da936b32dea2882aeb87c908a88b308f7f5125bfa9ef98b0cf2cf01bb55ccca
Opcode Fuzzy Hash: 5f7b4833af870cf626b69f3c9712a8c69c81d14ab7130acc061d08613f57344d
Instruction Fuzzy Hash: B7F0E5B06042296AEB20177A9C4DFEB3AAEFFC4761F000175F609D2285DA709904C7B0

Function 0085B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0085B25D
keybd_event.USER32(?,7608C0D0,?,00000000), ref: 0085B270

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 6a6563dfc510336a9acd0d0fd0f68cdb1464f5b43988d429502c684e1954fe53
Instruction ID: 6ccfe2560c2b7cd7d4f09ef22f9b3fac3e6c1ef2a038f673fb4ee5d1f92e1cab
Opcode Fuzzy Hash: 6a6563dfc510336a9acd0d0fd0f68cdb1464f5b43988d429502c684e1954fe53
Instruction Fuzzy Hash: 9DF01D7180424DABDF059FA4C805BAE7BB4FF04309F008009F955A6191C77986159FA4

Function 008510BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008511FC), ref: 008510D4
CloseHandle.KERNEL32(?,?,008511FC), ref: 008510E9

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 529cac26666ddb177d279429d73e928ae5386ad993ec3ed77e1018115a8a4e7c
Instruction ID: e4c3e4281e76dfebae32d6fb683fbdad020523c739ad886b70af14308aba4693
Opcode Fuzzy Hash: 529cac26666ddb177d279429d73e928ae5386ad993ec3ed77e1018115a8a4e7c
Instruction Fuzzy Hash: 94E04F32004601AEE7652B65FC09E7377A9FB04310B20C82DF9A5C04F5DB72AC90DB60

Function 007FCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00840C40

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: f1620f81d49736849739c46330d399939393f8ce7c8f607bf998a5a839d6d755
Instruction ID: 2789e09d06efeac47e292ff4b3f2b2b06ab33a196afb1f6ccf54f3dbcf936fdb
Opcode Fuzzy Hash: f1620f81d49736849739c46330d399939393f8ce7c8f607bf998a5a839d6d755
Instruction Fuzzy Hash: CD32687090021CDBCF15DF94CA85AFEB7B5FF04304F248059EA06AB392D779AA45DB61

Function 0082676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00826766,?,?,00000008,?,?,0082FEFE,00000000), ref: 00826998

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b88e8102a1af1bcc7ee44a7a1303ba6fb61eab6b315c2aca601a4d1fc5f8f54a
Instruction ID: 7ea28696cc98426d61a6fb8a3b1758720ef94262b46faf07baa4712aa96306b9
Opcode Fuzzy Hash: b88e8102a1af1bcc7ee44a7a1303ba6fb61eab6b315c2aca601a4d1fc5f8f54a
Instruction Fuzzy Hash: 6CB16D31610618DFD719CF28D486B657BE0FF05368F298658E89ACF2A2D735E9E1CB40

Function 0080B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0084851F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5dcbe7907ee01127703096386269039d20c7747f05c073388aa74fbd3f4966b2
Instruction ID: a112881dfa6fb840f4cde69eed5fd4e048a208a0779c137ef22254b2aed9431c
Opcode Fuzzy Hash: 5dcbe7907ee01127703096386269039d20c7747f05c073388aa74fbd3f4966b2
Instruction Fuzzy Hash: 58125F71900629DFDB64CF58C8806AEB7F5FF48710F1481AAE849EB295DB349E81CF94

Function 0086EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0086EABD

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 51a1641f50e300ead0d10c100a3175f6f3ce8f8e1ddb5369d4c549f3ba41cce3
Instruction ID: d5244fa36abab38c87a151ae3cafbad167246ae132e358e10c2e8d0538168d2e
Opcode Fuzzy Hash: 51a1641f50e300ead0d10c100a3175f6f3ce8f8e1ddb5369d4c549f3ba41cce3
Instruction Fuzzy Hash: 57E012352002189FC710DF59D444D5AF7D9FF68760F018416FD45C7351D674A8408B90

Function 008109D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008103EE), ref: 008109DA

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b991ee5666c0bdc95ee1ca282afdf2f6992fac50857ecf14337560ff1410f7d3
Instruction ID: 694a38085c09b8400c2326d32a4809b8cce8eb8155cf7f0e9fecacee9f286ccc
Opcode Fuzzy Hash: b991ee5666c0bdc95ee1ca282afdf2f6992fac50857ecf14337560ff1410f7d3
Instruction Fuzzy Hash:

Function 0081781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0081798B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d0db9c67c81aa13c0475d3683155fb49b3316cbb4305effa239619ae951f8340
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: D151386160C6495ADB384768885ABFE27BDFF12344F18052DE883D7282C619DECAD35A

Function 00826DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a747b032d76cfc3f090000640f5e462a7359030a0d427d7e2c024b06ba17fec2
Instruction ID: d1c80bce1abd552cee81c8b74b3127eba546c7e937e8407b19ca7a4c90664323
Opcode Fuzzy Hash: a747b032d76cfc3f090000640f5e462a7359030a0d427d7e2c024b06ba17fec2
Instruction Fuzzy Hash: 51322421D29F114DD723A635E962339A249FFB73C5F19D737E81AB59A6EB28C4C34100

Function 0080CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af0b3680896128dacc7952bd4ea79e7c261dcae36a7dff66f7fe04f02230e181
Instruction ID: 4bb2ddeded6cc039d90acf32e33fb711e0e0e3c5cadd6d333bbcf52d5b3b62d1
Opcode Fuzzy Hash: af0b3680896128dacc7952bd4ea79e7c261dcae36a7dff66f7fe04f02230e181
Instruction Fuzzy Hash: A5324A31A0111D8BDFA8CF29C8D067D7BA9FB45318F29866AD45ADB2D2E334DD81DB40

Function 007F7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 616a74d481c8bae78effd601a9715d304ea3ef605ad04247ba6270f0b5a70b6b
Instruction ID: 2693ddd5a5a05d3afdc147e6e038982a9250f098ceffc47b1ed2f67fa3ac3c53
Opcode Fuzzy Hash: 616a74d481c8bae78effd601a9715d304ea3ef605ad04247ba6270f0b5a70b6b
Instruction Fuzzy Hash: AD2291B0A04609DFDF18CF68D881ABEB7B5FF44300F104529E916E7391EB39A955CB91

Function 007F91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cadf6b57aaab746a2dd9fff0d6d40d3320e930de12b6368693308108980fdfd3
Instruction ID: 050bcd1b035981d88291f931a174eb5aa00a49c6e16754f522d3c7b02240c6a7
Opcode Fuzzy Hash: cadf6b57aaab746a2dd9fff0d6d40d3320e930de12b6368693308108980fdfd3
Instruction Fuzzy Hash: 4602B5B0A00209EBDB14DF64D881AAEB7B5FF84300F118169E916DB3D1EB35AE51CBD1

Function 00811C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a3fcd58ecc670aa4ee4058e17fedd63c7a5bef4cb361c88a9b1cd988e4695419
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 509177722080A34ADF69467A957C0BEFFE5FE923A131A079DD5F2CA1C1FE148994D620

Function 008119B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: fba30f5e77fb6d3b61a395199b16205af70fd792b77b1838d417ca18e1991633
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AD91537220D0A34ADF69427A957C0BDFFE9EE923B131A079DD5F2CA1C1FE1485A4D620

Function 00817A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e7c16cd456e192fb8d2ad3290ff76b9477edf7c7aed45071b4f45f613123a1
Instruction ID: 4409270a4c8702899e8fab14c5fc244465bce11e24ec62606b38cbee908c2b86
Opcode Fuzzy Hash: 47e7c16cd456e192fb8d2ad3290ff76b9477edf7c7aed45071b4f45f613123a1
Instruction Fuzzy Hash: 1661577120C71996DA349A2C8C96BFE23BCFF41764F24091EE982DB281DB119EC28356

Function 00817CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f917e80be10faf06bdfa390f364e1eca508511860d7b6c0ab1cbf16ba4ad8e75
Instruction ID: a040bcf5187c54150e42dd6bb46033b95fb8d63b910df97dc5f931d54c59ea50
Opcode Fuzzy Hash: f917e80be10faf06bdfa390f364e1eca508511860d7b6c0ab1cbf16ba4ad8e75
Instruction Fuzzy Hash: C761497160C70D97DE385A2C6856BFE23FCFF42B08F10095DE943DB285DA12ADC28256

Function 00811706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: d540f8fa3fa2936900acaa5d758702090704ab0343eb77221ede3d389fcdb61a
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 978185326090A309DF6D423A857C4BEFFE5FE923A131A47ADD5F2CB1C5EE248594D620

Function 00862046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dcfc44d90bf47c83a5beea70aa56f7455b50bb5ffc69ebad6035764dd4ab835
Instruction ID: c3933c768df8d696ac9503a4c92e18bf7647b8c62a29bfce8edc98e09335f981
Opcode Fuzzy Hash: 8dcfc44d90bf47c83a5beea70aa56f7455b50bb5ffc69ebad6035764dd4ab835
Instruction Fuzzy Hash: 6321A832620A158BD728CF79C812A7A73E5F764310F15866EE4A7C37D0DE35A944CB50

Function 00872ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00872B30
DeleteObject.GDI32(00000000), ref: 00872B43
DestroyWindow.USER32 ref: 00872B52
GetDesktopWindow.USER32 ref: 00872B6D
GetWindowRect.USER32(00000000), ref: 00872B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00872CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00872CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872CF8
GetClientRect.USER32(00000000,?), ref: 00872D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00872D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872D80
GlobalLock.KERNEL32(00000000), ref: 00872D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872D98
GlobalUnlock.KERNEL32(00000000), ref: 00872DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872DA8
GlobalFree.KERNEL32(00000000), ref: 00872DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0088FC38,00000000), ref: 00872DDB
GlobalFree.KERNEL32(00000000), ref: 00872DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00872E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00872E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00872E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0087303F

Strings

, xrefs: 00872FC5
static, xrefs: 00872D3A, 00872E91
DISPLAY, xrefs: 00872EA2
AutoIt v3, xrefs: 00872CF2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ddfabccaf3e50f181f97959159b743d97f6d4fdbdddc3c48ded0c5cb957f5a3f
Instruction ID: d5ac606aec0fc35bdd24352c6b942b1009e2f2bb8d1e14199c7bc3f0a988bfbd
Opcode Fuzzy Hash: ddfabccaf3e50f181f97959159b743d97f6d4fdbdddc3c48ded0c5cb957f5a3f
Instruction Fuzzy Hash: 60025A71500209EFDB14DF68CC89EAE7BB9FB49714F048158F919AB2A5DB78ED01CB60

Function 008870D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0088712F
GetSysColorBrush.USER32(0000000F), ref: 00887160
GetSysColor.USER32(0000000F), ref: 0088716C
SetBkColor.GDI32(?,000000FF), ref: 00887186
SelectObject.GDI32(?,?), ref: 00887195
InflateRect.USER32(?,000000FF,000000FF), ref: 008871C0
GetSysColor.USER32(00000010), ref: 008871C8
CreateSolidBrush.GDI32(00000000), ref: 008871CF
FrameRect.USER32(?,?,00000000), ref: 008871DE
DeleteObject.GDI32(00000000), ref: 008871E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00887230
FillRect.USER32(?,?,?), ref: 00887262
GetWindowLongW.USER32(?,000000F0), ref: 00887284

Part of subcall function 008873E8: GetSysColor.USER32(00000012), ref: 00887421
Part of subcall function 008873E8: SetTextColor.GDI32(?,?), ref: 00887425
Part of subcall function 008873E8: GetSysColorBrush.USER32(0000000F), ref: 0088743B
Part of subcall function 008873E8: GetSysColor.USER32(0000000F), ref: 00887446
Part of subcall function 008873E8: GetSysColor.USER32(00000011), ref: 00887463
Part of subcall function 008873E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00887471
Part of subcall function 008873E8: SelectObject.GDI32(?,00000000), ref: 00887482
Part of subcall function 008873E8: SetBkColor.GDI32(?,00000000), ref: 0088748B
Part of subcall function 008873E8: SelectObject.GDI32(?,?), ref: 00887498
Part of subcall function 008873E8: InflateRect.USER32(?,000000FF,000000FF), ref: 008874B7
Part of subcall function 008873E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008874CE
Part of subcall function 008873E8: GetWindowLongW.USER32(00000000,000000F0), ref: 008874DB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 12ee14c2ca7d1b56e2aaf42fcecf1a202a3da03b0a9f826a65a63b11133fb2db
Instruction ID: 5e4b6b85c84120862719f0684178fd144a9d82bdd1ce9abae347d64fde69c473
Opcode Fuzzy Hash: 12ee14c2ca7d1b56e2aaf42fcecf1a202a3da03b0a9f826a65a63b11133fb2db
Instruction Fuzzy Hash: 87A16F72008301AFDB11EF68DC48A5B7BB9FF89321F200A19F962D61E1D775E944DB62

Function 00808D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00808E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00846AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00846AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00846F43

Part of subcall function 00808F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00808BE8,?,00000000,?,?,?,?,00808BBA,00000000,?), ref: 00808FC5

SendMessageW.USER32(?,00001053), ref: 00846F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00846F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00846FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00846FB7

Strings

0, xrefs: 00846DCF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 57bef7de4b5c27b80b895d0140ff8749d017ac146f58597c8a96086ffbb6c62c
Instruction ID: 0a26eabc2f7ddd9d5625ca9a3c1c75715d9645d8e1831c71021b2e120ceac8a8
Opcode Fuzzy Hash: 57bef7de4b5c27b80b895d0140ff8749d017ac146f58597c8a96086ffbb6c62c
Instruction Fuzzy Hash: D2128B30600219DFDB65CF28CC88BA5BBF5FB46310F544469E585CB2A2DB32ECA5DB52

Function 00872711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0087273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0087286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 008728A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 008728B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00872900
GetClientRect.USER32(00000000,?), ref: 0087290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00872955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00872964
GetStockObject.GDI32(00000011), ref: 00872974
SelectObject.GDI32(00000000,00000000), ref: 00872978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00872988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00872991
DeleteDC.GDI32(00000000), ref: 0087299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008729C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 008729DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00872A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00872A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00872A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00872A77
GetStockObject.GDI32(00000011), ref: 00872A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00872A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00872A97

Strings

msctls_progress32, xrefs: 00872A13
static, xrefs: 0087294F, 00872A71
DISPLAY, xrefs: 0087295A
AutoIt v3, xrefs: 008728F8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 818448f80789b16342796cc539cb3b67011c75abbde4aa7bedc1dc73ffae886a
Instruction ID: d4f12509511d5a690d44d4817d2f6bdccc10e61e169122c17352cb10d3846b63
Opcode Fuzzy Hash: 818448f80789b16342796cc539cb3b67011c75abbde4aa7bedc1dc73ffae886a
Instruction Fuzzy Hash: 29B14C71A00219AFEB14DF68DD89EAE7BB9FB09714F008114FA15E7691D778ED40CBA0

Function 00864ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00864AED
GetDriveTypeW.KERNEL32(?,0088CB68,?,\\.\,0088CC08), ref: 00864BCA
SetErrorMode.KERNEL32(00000000,0088CB68,?,\\.\,0088CC08), ref: 00864D36

Strings

ATAPI, xrefs: 00864C91
PhysicalDrive, xrefs: 00864B76
RAMDisk, xrefs: 00864BF4
SCSI, xrefs: 00864C8A
SATA, xrefs: 00864CD0
\\.\, xrefs: 00864B3F
Fibre, xrefs: 00864CAD
Virtual, xrefs: 00864CE5
SAS, xrefs: 00864CC9
FileBackedVirtual, xrefs: 00864CEC
SSD, xrefs: 00864C4A
SSA, xrefs: 00864CA6
Fixed, xrefs: 00864C09
Unknown, xrefs: 00864BED, 00864C83
Network, xrefs: 00864C02
iSCSI, xrefs: 00864CC2
Removable, xrefs: 00864C10, 00864C15
USB, xrefs: 00864CB4
CDROM, xrefs: 00864BFB
RAID, xrefs: 00864CBB
MMC, xrefs: 00864CDE
1394, xrefs: 00864C9F
ATA, xrefs: 00864C98

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 4b4e0b2344d2ec5f05c74f2ad25050761bd2ed308eacdccb119ecb6c16eebf48
Instruction ID: 0b2ba2b56712e6d3a9550634e5caea82b7e4465d73cb40176b9761925913b4ee
Opcode Fuzzy Hash: 4b4e0b2344d2ec5f05c74f2ad25050761bd2ed308eacdccb119ecb6c16eebf48
Instruction Fuzzy Hash: 4561C17060120ADBCB04DF68CA829BD7BA0FF04344B295415F916EB391EB3EED55DB51

Function 008873E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00887421
SetTextColor.GDI32(?,?), ref: 00887425
GetSysColorBrush.USER32(0000000F), ref: 0088743B
GetSysColor.USER32(0000000F), ref: 00887446
CreateSolidBrush.GDI32(?), ref: 0088744B
GetSysColor.USER32(00000011), ref: 00887463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00887471
SelectObject.GDI32(?,00000000), ref: 00887482
SetBkColor.GDI32(?,00000000), ref: 0088748B
SelectObject.GDI32(?,?), ref: 00887498
InflateRect.USER32(?,000000FF,000000FF), ref: 008874B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 008874CE
GetWindowLongW.USER32(00000000,000000F0), ref: 008874DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0088752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00887554
InflateRect.USER32(?,000000FD,000000FD), ref: 00887572
DrawFocusRect.USER32(?,?), ref: 0088757D
GetSysColor.USER32(00000011), ref: 0088758E
SetTextColor.GDI32(?,00000000), ref: 00887596
DrawTextW.USER32(?,008870F5,000000FF,?,00000000), ref: 008875A8
SelectObject.GDI32(?,?), ref: 008875BF
DeleteObject.GDI32(?), ref: 008875CA
SelectObject.GDI32(?,?), ref: 008875D0
DeleteObject.GDI32(?), ref: 008875D5
SetTextColor.GDI32(?,?), ref: 008875DB
SetBkColor.GDI32(?,?), ref: 008875E5

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 017059e6c45e217eaacf67dc81c9631f50f7f9ef2385e904dda797e58b199375
Instruction ID: 632678cd269d36078e31d6359571dbc8d71aecc6b792ae7ed39a65e2291a2b98
Opcode Fuzzy Hash: 017059e6c45e217eaacf67dc81c9631f50f7f9ef2385e904dda797e58b199375
Instruction Fuzzy Hash: 16614D76900218AFDF11AFA8DC49EAE7FB9FB08320F214115F915EB2A1D7749940DBA0

Function 00880FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00881128
GetDesktopWindow.USER32 ref: 0088113D
GetWindowRect.USER32(00000000), ref: 00881144
GetWindowLongW.USER32(?,000000F0), ref: 00881199
DestroyWindow.USER32(?), ref: 008811B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 008811ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0088120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0088121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00881232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00881245
IsWindowVisible.USER32(00000000), ref: 008812A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 008812BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 008812D0
GetWindowRect.USER32(00000000,?), ref: 008812E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0088130E
GetMonitorInfoW.USER32(00000000,?), ref: 00881328
CopyRect.USER32(?,?), ref: 0088133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 008813AA

Strings

tooltips_class32, xrefs: 008811E6
(, xrefs: 0088131B
0, xrefs: 008810D3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 6138326d147e69fade8554020abd34227c75d869e7826af558f5b6e15069e42e
Instruction ID: c4ebd2c770326f1c4460b2c04c6d6339dcdc003fe24c21490e02c2586fc41c4e
Opcode Fuzzy Hash: 6138326d147e69fade8554020abd34227c75d869e7826af558f5b6e15069e42e
Instruction Fuzzy Hash: EFB14C71604341EFDB14DF68C888B6ABBE8FF84354F008918F999DB261DB75E845CB61

Function 00880241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008802E5
_wcslen.LIBCMT ref: 0088031F
_wcslen.LIBCMT ref: 00880389
_wcslen.LIBCMT ref: 008803F1
_wcslen.LIBCMT ref: 00880475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008804C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00880504

Part of subcall function 0080F9F2: _wcslen.LIBCMT ref: 0080F9FD

Part of subcall function 0085223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00852258
Part of subcall function 0085223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0085228A

Strings

SELECTINVERT, xrefs: 0088057E
VIEWCHANGE, xrefs: 00880675
ISSELECTED, xrefs: 008804DD
SELECTALL, xrefs: 00880515
SELECT, xrefs: 00880548
GETSUBITEMCOUNT, xrefs: 00880384, 0088039F
DESELECT, xrefs: 0088059C
GETSELECTED, xrefs: 008805E1
SELECTCLEAR, xrefs: 0088052D
GETSELECTEDCOUNT, xrefs: 00880470, 0088048B
GETTEXT, xrefs: 008803EC, 00880407
GETITEMCOUNT, xrefs: 00880316, 00880337
FINDITEM, xrefs: 00880627

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 1fa37b16600fe8b1f5c334a2f5bf9f7dc09389941858067ad8c7081101b1b432
Instruction ID: 4a54bb760bd6815387d5fd5d41c1c7c517c0caadae02dd9a0fff81d9667f17fa
Opcode Fuzzy Hash: 1fa37b16600fe8b1f5c334a2f5bf9f7dc09389941858067ad8c7081101b1b432
Instruction Fuzzy Hash: C1E19F312083058BC764EF28C55187AB7E6FF98318B14496CF996DB3A2DB34ED49CB52

Function 00808891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00808968
GetSystemMetrics.USER32(00000007), ref: 00808970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0080899B
GetSystemMetrics.USER32(00000008), ref: 008089A3
GetSystemMetrics.USER32(00000004), ref: 008089C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008089E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008089F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00808A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00808A3C
GetClientRect.USER32(00000000,000000FF), ref: 00808A5A
GetStockObject.GDI32(00000011), ref: 00808A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00808A81

Part of subcall function 0080912D: GetCursorPos.USER32(?), ref: 00809141
Part of subcall function 0080912D: ScreenToClient.USER32(00000000,?), ref: 0080915E
Part of subcall function 0080912D: GetAsyncKeyState.USER32(00000001), ref: 00809183
Part of subcall function 0080912D: GetAsyncKeyState.USER32(00000002), ref: 0080919D

SetTimer.USER32(00000000,00000000,00000028,008090FC), ref: 00808AA8

Strings

AutoIt v3 GUI, xrefs: 00808A20

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 0bbb7ad726da3ec665111ab37f3ca5ec442a94c24655cdb4bc73b9350a366b22
Instruction ID: 00249b60df1cd0b23df0687137c45b1e2f119c229943615c05d54ff66af000b5
Opcode Fuzzy Hash: 0bbb7ad726da3ec665111ab37f3ca5ec442a94c24655cdb4bc73b9350a366b22
Instruction Fuzzy Hash: 5EB15871A0020ADFDF14DFA8DC99BAA7BB5FB49314F104229FA15E7291DB34E850CB61

Function 00850D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008510F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00851114
Part of subcall function 008510F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851120
Part of subcall function 008510F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 0085112F
Part of subcall function 008510F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851136
Part of subcall function 008510F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0085114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00850DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00850E29
GetLengthSid.ADVAPI32(?), ref: 00850E40
GetAce.ADVAPI32(?,00000000,?), ref: 00850E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00850E96
GetLengthSid.ADVAPI32(?), ref: 00850EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00850EB5
HeapAlloc.KERNEL32(00000000), ref: 00850EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00850EDD
CopySid.ADVAPI32(00000000), ref: 00850EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00850F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00850F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00850F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850F6E
HeapFree.KERNEL32(00000000), ref: 00850F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850F7E
HeapFree.KERNEL32(00000000), ref: 00850F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00850F8E
HeapFree.KERNEL32(00000000), ref: 00850F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00850FA1
HeapFree.KERNEL32(00000000), ref: 00850FA8

Part of subcall function 00851193: GetProcessHeap.KERNEL32(00000008,00850BB1,?,00000000,?,00850BB1,?), ref: 008511A1
Part of subcall function 00851193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00850BB1,?), ref: 008511A8
Part of subcall function 00851193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00850BB1,?), ref: 008511B7

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4e34f73f38b2524db304a9100207bfbe9c7acdd3e6df712d8dcda2df69e14c6a
Instruction ID: 92af19083ed2c101c0ebcc0945b33fa571cdb36ae85f09f7b615bbe157e75c24
Opcode Fuzzy Hash: 4e34f73f38b2524db304a9100207bfbe9c7acdd3e6df712d8dcda2df69e14c6a
Instruction Fuzzy Hash: D871597290020AABDF209FA8DC49FAEBBB8FF04342F144115F959E6195DB319A09CF70

Function 0087C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0087C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0088CC08,00000000,?,00000000,?,?), ref: 0087C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0087C5A4
_wcslen.LIBCMT ref: 0087C5F4
_wcslen.LIBCMT ref: 0087C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0087C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0087C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0087C84D
RegCloseKey.ADVAPI32(?), ref: 0087C881
RegCloseKey.ADVAPI32(00000000), ref: 0087C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0087C960

Strings

REG_QWORD, xrefs: 0087C8C3
REG_SZ, xrefs: 0087C644
REG_DWORD, xrefs: 0087C804
REG_BINARY, xrefs: 0087C913
REG_MULTI_SZ, xrefs: 0087C6F5
REG_EXPAND_SZ, xrefs: 0087C5CD

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 2605d4687a7c47f58d4dc0589c8480a1e0f57868c01b55086e5423b521e8cd43
Instruction ID: 05add986b478e6d4c7e91333568f226d897782c5b7013f72ae1cfe8f89bf8b94
Opcode Fuzzy Hash: 2605d4687a7c47f58d4dc0589c8480a1e0f57868c01b55086e5423b521e8cd43
Instruction Fuzzy Hash: 06126835604205DFC714DF18C885A2AB7E5FF88724F08885CF99A9B3A2DB35ED45CB86

Function 0088091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008809C6
_wcslen.LIBCMT ref: 00880A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00880A54
_wcslen.LIBCMT ref: 00880A8A
_wcslen.LIBCMT ref: 00880B06
_wcslen.LIBCMT ref: 00880B81

Part of subcall function 0080F9F2: _wcslen.LIBCMT ref: 0080F9FD

Part of subcall function 00852BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00852BFA

Strings

EXISTS, xrefs: 00880B7C, 00880B97
UNCHECK, xrefs: 00880D3E
COLLAPSE, xrefs: 00880B01, 00880B1C
EXPAND, xrefs: 00880BF8
ISCHECKED, xrefs: 00880CE1
SELECT, xrefs: 00880D11
CHECK, xrefs: 00880A85, 00880AA0
GETSELECTED, xrefs: 00880C4E
GETTOTALCOUNT, xrefs: 008809F2, 00880A17
GETTEXT, xrefs: 00880C97
GETITEMCOUNT, xrefs: 00880C1E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 6fbb916befdb49d4ce138900944c951846ed0db20d72f093867bedf3dd9ec74d
Instruction ID: 1bbb04724feb404c640a96fb4ee4ddcd385883d8b9768654b6634f7d562afb3f
Opcode Fuzzy Hash: 6fbb916befdb49d4ce138900944c951846ed0db20d72f093867bedf3dd9ec74d
Instruction Fuzzy Hash: 31E179312083058FC754EF28C45096AB7E2FF98358B14895DF896DB3A2DB31ED49CB82

Function 0087C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0087B6AE,?,?), ref: 0087C9B5
_wcslen.LIBCMT ref: 0087C9F1
_wcslen.LIBCMT ref: 0087CA68
_wcslen.LIBCMT ref: 0087CA9E
_wcslen.LIBCMT ref: 0087CAF9
_wcslen.LIBCMT ref: 0087CB2F
_wcslen.LIBCMT ref: 0087CB7F

Strings

HKU, xrefs: 0087CBF0
HKEY_CURRENT_USER, xrefs: 0087CBBD
HKEY_CLASSES_ROOT, xrefs: 0087CAF3, 0087CAF8
HKCU, xrefs: 0087CBCE
HKCR, xrefs: 0087CB29, 0087CB2E
HKEY_LOCAL_MACHINE, xrefs: 0087CA62, 0087CA67
HKEY_CURRENT_CONFIG, xrefs: 0087CB79, 0087CB7E
HKEY_USERS, xrefs: 0087CBDF
HKLM, xrefs: 0087CA98, 0087CA9D
HKCC, xrefs: 0087CBAC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 22326f1fd537ec2cb608a9dd2cd2f10d08254e9c8763a92e729a7986c9d5355b
Instruction ID: fc5f009cef1c1a934fc248bc1d21d985597a5d62d16dec5414a52810d4a6a1a6
Opcode Fuzzy Hash: 22326f1fd537ec2cb608a9dd2cd2f10d08254e9c8763a92e729a7986c9d5355b
Instruction Fuzzy Hash: 1271E47260012A8BCB20DE7CCD415FE7395FFA1764B25812CF969E7389EA35CD8483A0

Function 0088833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0088835A
_wcslen.LIBCMT ref: 0088836E
_wcslen.LIBCMT ref: 00888391
_wcslen.LIBCMT ref: 008883B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 008883F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00885BF2), ref: 0088844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00888487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 008884CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00888501
FreeLibrary.KERNEL32(?), ref: 0088850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0088851D
DestroyIcon.USER32(?,?,?,?,?,00885BF2), ref: 0088852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00888549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00888555

Strings

.icl, xrefs: 00888368
.dll, xrefs: 008883AB
.exe, xrefs: 00888388

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: e320620819f0a91d49e6efece2182dff3966b6af2db8e76150723bc7abab6772
Instruction ID: d3f77650564ea9edca94fd611f88ab162cd7928f3f1f5852280bafec83876b34
Opcode Fuzzy Hash: e320620819f0a91d49e6efece2182dff3966b6af2db8e76150723bc7abab6772
Instruction Fuzzy Hash: BE61DD72500219FAEB14EF68DC85BBE77A8FF08B20F504609F815E61D1DB74A990CBA0

Function 007F7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

', xrefs: 00835169
#comments-start, xrefs: 007F785F, 007F78B1
#cs, xrefs: 007F7873, 007F78C5
#comments-end, xrefs: 007F78D9
Bad directive syntax error, xrefs: 0083519A
#ce, xrefs: 007F78ED
#requireadmin, xrefs: 007F77FF
#include, xrefs: 007F7847
Cannot parse #include, xrefs: 00835279
#notrayicon, xrefs: 007F77E7
Unterminated group of comments, xrefs: 0083528C
#pragma compile, xrefs: 007F77D3
#include-once, xrefs: 007F782F
#OnAutoItStartRegister, xrefs: 007F7817
", xrefs: 00835153

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 558f79378aa1ddd2cc7f0c2905aabc64f925c5692495c9ca3a3e5f97dcfa2fdd
Instruction ID: 1701ea869991dbc668054ad9f1716bc5faccd86ab153dfe0af74d7d4c76725fe
Opcode Fuzzy Hash: 558f79378aa1ddd2cc7f0c2905aabc64f925c5692495c9ca3a3e5f97dcfa2fdd
Instruction Fuzzy Hash: 8381D071604209ABDB24BF64CC46FBE77A9FF55340F044024FA05EA296EB78DA51C7E2

Function 00855A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00855A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00855A40
SetWindowTextW.USER32(?,?), ref: 00855A57
GetDlgItem.USER32(?,000003EA), ref: 00855A6C
SetWindowTextW.USER32(00000000,?), ref: 00855A72
GetDlgItem.USER32(?,000003E9), ref: 00855A82
SetWindowTextW.USER32(00000000,?), ref: 00855A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00855AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00855AC3
GetWindowRect.USER32(?,?), ref: 00855ACC
_wcslen.LIBCMT ref: 00855B33
SetWindowTextW.USER32(?,?), ref: 00855B6F
GetDesktopWindow.USER32 ref: 00855B75
GetWindowRect.USER32(00000000), ref: 00855B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00855BD3
GetClientRect.USER32(?,?), ref: 00855BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00855C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00855C2F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 95615847b8280c2313ee8a00ebdc1d028294980b00cc70bcd1eeef1fc690e75b
Instruction ID: 68ce4129c04578e1c620ee79155fe23eddfe472b763c267dc62db8b9cae5a890
Opcode Fuzzy Hash: 95615847b8280c2313ee8a00ebdc1d028294980b00cc70bcd1eeef1fc690e75b
Instruction Fuzzy Hash: 35716F31900B09EFDB20DFA8CE99A6EBBF5FF48715F104528E542E25A0D775E948CB60

Function 008100C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008100C6

Part of subcall function 008100ED: InitializeCriticalSectionAndSpinCount.KERNEL32(008C070C,00000FA0,ABF0D643,?,?,?,?,008323B3,000000FF), ref: 0081011C
Part of subcall function 008100ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,008323B3,000000FF), ref: 00810127
Part of subcall function 008100ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,008323B3,000000FF), ref: 00810138
Part of subcall function 008100ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0081014E
Part of subcall function 008100ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0081015C
Part of subcall function 008100ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0081016A
Part of subcall function 008100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00810195
Part of subcall function 008100ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008101A0

___scrt_fastfail.LIBCMT ref: 008100E7

Part of subcall function 008100A3: __onexit.LIBCMT ref: 008100A9

Strings

WakeAllConditionVariable, xrefs: 00810162
kernel32.dll, xrefs: 00810133
SleepConditionVariableCS, xrefs: 00810154
InitializeConditionVariable, xrefs: 00810148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00810122

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 75f8ef2bb439573b462002aff5ec5b262134a365001da9c8920bf02ff7c2a412
Instruction ID: d22b6e80d2f71ecdb8673055cde6c3072a40be21971f9f34bdd04bd294c38546
Opcode Fuzzy Hash: 75f8ef2bb439573b462002aff5ec5b262134a365001da9c8920bf02ff7c2a412
Instruction Fuzzy Hash: 8821D732644710EBD7106B68AC49FAA37E8FF05B51F104139FA11E6792DBB89C808FA1

Function 008530F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0085318D
_wcslen.LIBCMT ref: 008531F8

Strings

NAME, xrefs: 00853335, 00853346
CLASSNN, xrefs: 008531F3, 00853204
INSTANCE, xrefs: 00853453
REGEXPCLASS, xrefs: 00853255, 00853266
CLASS, xrefs: 00853188, 008531A5
TEXT, xrefs: 0085347C

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 50d510e7ea3224cb715bfa2795b296d885d6b016e768131212f0517327cf65ce
Instruction ID: c20cadc63d2a95cc861179d1c91bd2414789e98224259c44bc9f185d702b8bf2
Opcode Fuzzy Hash: 50d510e7ea3224cb715bfa2795b296d885d6b016e768131212f0517327cf65ce
Instruction Fuzzy Hash: 99E1E532A0051AABCB149FB8C4517EDBBB4FF54791F648129E956E7340EB30AE8D8790

Function 008644C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0088CC08), ref: 00864527
_wcslen.LIBCMT ref: 0086453B
_wcslen.LIBCMT ref: 00864599
_wcslen.LIBCMT ref: 008645F4
_wcslen.LIBCMT ref: 0086463F
_wcslen.LIBCMT ref: 008646A7

Part of subcall function 0080F9F2: _wcslen.LIBCMT ref: 0080F9FD

GetDriveTypeW.KERNEL32(?,008B6BF0,00000061), ref: 00864743

Strings

network, xrefs: 0086469D, 008646A2
cdrom, xrefs: 0086458F, 00864594
ramdisk, xrefs: 008646F1
unknown, xrefs: 00864708
fixed, xrefs: 00864635, 0086463A
all, xrefs: 00864531, 00864536
removable, xrefs: 008645EA, 008645EF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 662ccac8ee74c6be02916ee3b5066a4e2bfde981938a077d8c9946ab3bc12e01
Instruction ID: a50a530487bc69fdf459738df8a7f7bde2d9ca60132ee9125ddca941e9e3e88b
Opcode Fuzzy Hash: 662ccac8ee74c6be02916ee3b5066a4e2bfde981938a077d8c9946ab3bc12e01
Instruction Fuzzy Hash: D8B1FC716083029FC710DF28C890A6EB7E5FFA5724F11691DF696C7291EB34D848CAA2

Function 007F326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(008C1990), ref: 00832F8D
GetMenuItemCount.USER32(008C1990), ref: 0083303D
GetCursorPos.USER32(?), ref: 00833081
SetForegroundWindow.USER32(00000000), ref: 0083308A
TrackPopupMenuEx.USER32(008C1990,00000000,?,00000000,00000000,00000000), ref: 0083309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008330A9

Strings

0, xrefs: 007F327D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 49088061818cc7c7fb4387cfab876f3706dc64b208ad89f6e9c27f4c1ae50b5d
Instruction ID: bf4dcc6f3a7eac5bfe632b907f9869d5a39a3e68f49cb4e84ce9e2cd438136c5
Opcode Fuzzy Hash: 49088061818cc7c7fb4387cfab876f3706dc64b208ad89f6e9c27f4c1ae50b5d
Instruction Fuzzy Hash: B4710A30640209BEEB359F68CC49FAABF64FF45364F204216F624E62E1C7B5AD14D791

Function 00886CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00886DEB

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00886E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00886E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00886E94
DestroyWindow.USER32(?), ref: 00886EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007F0000,00000000), ref: 00886EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00886EFD
GetDesktopWindow.USER32 ref: 00886F16
GetWindowRect.USER32(00000000), ref: 00886F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00886F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00886F4D

Part of subcall function 00809944: GetWindowLongW.USER32(?,000000EB), ref: 00809952

Strings

0, xrefs: 00886D98
tooltips_class32, xrefs: 00886E58, 00886EDD

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 60701d4a4bdbc255ba776b9c1e4a8855ff22f8e3b528f576952718d6e989335d
Instruction ID: 797d659183a1fdfe419d5eaefa97c1f2c2393484e174f206417b81022189d7aa
Opcode Fuzzy Hash: 60701d4a4bdbc255ba776b9c1e4a8855ff22f8e3b528f576952718d6e989335d
Instruction Fuzzy Hash: 27714874104244AFDB21DF18DC48EAABBF9FB99304F54041DFA99C7261EB70E919CB21

Function 0088911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

DragQueryPoint.SHELL32(?,?), ref: 00889147

Part of subcall function 00887674: ClientToScreen.USER32(?,?), ref: 0088769A
Part of subcall function 00887674: GetWindowRect.USER32(?,?), ref: 00887710
Part of subcall function 00887674: PtInRect.USER32(?,?,00888B89), ref: 00887720

SendMessageW.USER32(?,000000B0,?,?), ref: 008891B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 008891BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 008891DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00889225
SendMessageW.USER32(?,000000B0,?,?), ref: 0088923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00889255
SendMessageW.USER32(?,000000B1,?,?), ref: 00889277
DragFinish.SHELL32(?), ref: 0088927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00889371

Strings

@GUI_DRAGFILE, xrefs: 00889320
@GUI_DRAGID, xrefs: 008892E9
@GUI_DROPID, xrefs: 0088929E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 49e7f9597ec88848a3f1a1803dc78de8b1501ae51d7bd061e7cd0438402dc4d9
Instruction ID: bf66f1995840c894276ba000706dd435b1b28f61bd3b3b97fd5ead860324c73a
Opcode Fuzzy Hash: 49e7f9597ec88848a3f1a1803dc78de8b1501ae51d7bd061e7cd0438402dc4d9
Instruction Fuzzy Hash: B7615C71108305AFC701EF64DC89DAFBBE8FF89750F00092DF695922A1DB749A49CB62

Function 0086C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0086C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0086C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0086C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0086C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0086C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0086C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0086C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0086C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0086C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0086C5F0
InternetCloseHandle.WININET(00000000), ref: 0086C5FB

Strings

, xrefs: 0086C575

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4f5b6234a3fc161c18c2a40e3723cc988cff5aabf8e66ae0b0b7ba98353f6471
Instruction ID: 09af9ed5b715f5a02cba93aff4fcf43f6c61e57d745797fbc0f4f778fff8d902
Opcode Fuzzy Hash: 4f5b6234a3fc161c18c2a40e3723cc988cff5aabf8e66ae0b0b7ba98353f6471
Instruction Fuzzy Hash: F8514AB1600609BFEB219F68CD88ABB7BBCFF08754F01441AF986D6650DB34E9449B61

Function 0088856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00888592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885BA
GlobalLock.KERNEL32(00000000), ref: 008885C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885D7
GlobalUnlock.KERNEL32(00000000), ref: 008885E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 008885F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0088FC38,?), ref: 00888611
GlobalFree.KERNEL32(00000000), ref: 00888621
GetObjectW.GDI32(?,00000018,?), ref: 00888641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00888671
DeleteObject.GDI32(?), ref: 00888699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 008886AF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 62e81f8f5e43605012989d1ce1d2a328c88f4af9ce59cccb015825d726ca99d2
Instruction ID: 519179057b505660408d2bc3fb20af46db8835d83514c587ea7369cf8d2fbea8
Opcode Fuzzy Hash: 62e81f8f5e43605012989d1ce1d2a328c88f4af9ce59cccb015825d726ca99d2
Instruction Fuzzy Hash: 6541FA75600208EFDB11DFA9DC88EAA7BB9FF99B15F104058F919E7261DB30A901DB60

Function 008614BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00861502
VariantCopy.OLEAUT32(?,?), ref: 0086150B
VariantClear.OLEAUT32(?), ref: 00861517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 008615FB
VarR8FromDec.OLEAUT32(?,?), ref: 00861657
VariantInit.OLEAUT32(?), ref: 00861708
SysFreeString.OLEAUT32(?), ref: 0086178C
VariantClear.OLEAUT32(?), ref: 008617D8
VariantClear.OLEAUT32(?), ref: 008617E7
VariantInit.OLEAUT32(00000000), ref: 00861823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00861625
Default, xrefs: 008616AF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: b9132ff8d7c46f97b3e7204a6c4c5d032132420c06dc8a423d8c5223c4e34953
Instruction ID: 455a19bc847a65e465a7e6404ad8e969171b4433b1b48960aebdb90f463db196
Opcode Fuzzy Hash: b9132ff8d7c46f97b3e7204a6c4c5d032132420c06dc8a423d8c5223c4e34953
Instruction Fuzzy Hash: 48D1DE31A00219DBDF109F69D88DB79F7B5FF44704F1A8056E906EB686EB34E840DB62

Function 0087B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 0087C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0087B6AE,?,?), ref: 0087C9B5
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087C9F1
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA68
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0087B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0087B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0087B80A
RegCloseKey.ADVAPI32(?), ref: 0087B87E
RegCloseKey.ADVAPI32(?), ref: 0087B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0087B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0087B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0087B922
FreeLibrary.KERNEL32(00000000), ref: 0087B983
RegCloseKey.ADVAPI32(00000000), ref: 0087B994

Strings

advapi32.dll, xrefs: 0087B8ED
RegDeleteKeyExW, xrefs: 0087B8FE

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: b2f4a5d562e38ee04404c2c4390d3c53dc9e55aea7e98a80e12654aed7373d04
Instruction ID: 621b5a4ee0b0b03c43c93c2ee33d575bf05db70eab5e7896365b03aae7558491
Opcode Fuzzy Hash: b2f4a5d562e38ee04404c2c4390d3c53dc9e55aea7e98a80e12654aed7373d04
Instruction Fuzzy Hash: 05C16B31204205EFD714DF14C498B2ABBE6FF84358F14845CE6AA8B3A2CB75E845CB92

Function 0087255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008725D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 008725E8
CreateCompatibleDC.GDI32(?), ref: 008725F4
SelectObject.GDI32(00000000,?), ref: 00872601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0087266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 008726AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 008726D0
SelectObject.GDI32(?,?), ref: 008726D8
DeleteObject.GDI32(?), ref: 008726E1
DeleteDC.GDI32(?), ref: 008726E8
ReleaseDC.USER32(00000000,?), ref: 008726F3

Strings

(, xrefs: 0087268D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 20f53ec2830d4985c6eec99428572ea1a2bf6ddbd5c7975cd006e1b7bea9a47e
Instruction ID: 0dbf23a0edde6148d71d084b20995b2a139edf8f8ec7ce9e284b7cf5273c1b3c
Opcode Fuzzy Hash: 20f53ec2830d4985c6eec99428572ea1a2bf6ddbd5c7975cd006e1b7bea9a47e
Instruction Fuzzy Hash: 9561D475D00219EFCF14CFA8D884AAEBBB5FF58310F20852AE559E7254E770A951CF60

Function 0082DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0082DAA1

Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D659
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D66B
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D67D
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D68F
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6A1
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6B3
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6C5
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6D7
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6E9
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D6FB
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D70D
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D71F
Part of subcall function 0082D63C: _free.LIBCMT ref: 0082D731

_free.LIBCMT ref: 0082DA96

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 0082DAB8
_free.LIBCMT ref: 0082DACD
_free.LIBCMT ref: 0082DAD8
_free.LIBCMT ref: 0082DAFA
_free.LIBCMT ref: 0082DB0D
_free.LIBCMT ref: 0082DB1B
_free.LIBCMT ref: 0082DB26
_free.LIBCMT ref: 0082DB5E
_free.LIBCMT ref: 0082DB65
_free.LIBCMT ref: 0082DB82
_free.LIBCMT ref: 0082DB9A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: c3a2132d90423058956dea07a0ea6474bd70c90b11b420f691b3eb8d16727011
Instruction ID: 4555ae4d8c9950e30cc680d4a709db19a1b42aba6d7f22aedbf8d55863b3bd49
Opcode Fuzzy Hash: c3a2132d90423058956dea07a0ea6474bd70c90b11b420f691b3eb8d16727011
Instruction Fuzzy Hash: 83314832604325AFEB21AB39F845F5ABFE9FF04321F554429E849D7191DA31ACC08B61

Function 0085365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0085369C
_wcslen.LIBCMT ref: 008536A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00853797
GetClassNameW.USER32(?,?,00000400), ref: 0085380C
GetDlgCtrlID.USER32(?), ref: 0085385D
GetWindowRect.USER32(?,?), ref: 00853882
GetParent.USER32(?), ref: 008538A0
ScreenToClient.USER32(00000000), ref: 008538A7
GetClassNameW.USER32(?,?,00000100), ref: 00853921
GetWindowTextW.USER32(?,?,00000400), ref: 0085395D

Strings

%s%u, xrefs: 00853734

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: bdccf644d6c0e298cfbff148dfab5d80b86010267c3adfaeb66281673a08f711
Instruction ID: dba40fe37c0a91700412fb777a44c49d36ae9b3ab2ec80d876daf1f0fd09f751
Opcode Fuzzy Hash: bdccf644d6c0e298cfbff148dfab5d80b86010267c3adfaeb66281673a08f711
Instruction Fuzzy Hash: 8A91B5B1204606AFD719DF24C885BEAF7E8FF45391F004529FD99D2190EB30EA59CBA1

Function 00854954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00854994
GetWindowTextW.USER32(?,?,00000400), ref: 008549DA
_wcslen.LIBCMT ref: 008549EB
CharUpperBuffW.USER32(?,00000000), ref: 008549F7
_wcsstr.LIBVCRUNTIME ref: 00854A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00854A64
GetWindowTextW.USER32(?,?,00000400), ref: 00854A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00854AE6
GetClassNameW.USER32(?,?,00000400), ref: 00854B20
GetWindowRect.USER32(?,?), ref: 00854B8B

Strings

ThumbnailClass, xrefs: 00854A6F, 00854AF1

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f415a4a60374996e1b0bd09c17647e50c4613efac41e8b8d53ec32174eb79584
Instruction ID: 91bd31442ceeee4f5c9025b6df68b110ce34b4e24b73ab7a8cc8cc9b0a9f01ab
Opcode Fuzzy Hash: f415a4a60374996e1b0bd09c17647e50c4613efac41e8b8d53ec32174eb79584
Instruction Fuzzy Hash: 3191F3710042059FDB04CF58C985FAA77E8FF8431AF049469FD85DA196EB34ED89CBA2

Function 00888D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00888D5A
GetFocus.USER32 ref: 00888D6A
GetDlgCtrlID.USER32(00000000), ref: 00888D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00888E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00888ECF
GetMenuItemCount.USER32(?), ref: 00888EEC
GetMenuItemID.USER32(?,00000000), ref: 00888EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00888F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00888F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00888FA1

Strings

0, xrefs: 00888E9F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 63bc7df78c5904d90c682e6f77e70d976f4ffdbb871a0d593f94d6f7ef0e5a2d
Instruction ID: 33ec80a12cb485466dbfcf78ae6a3e98ecf18ca8e97a8c8f5a41d424c8caeda3
Opcode Fuzzy Hash: 63bc7df78c5904d90c682e6f77e70d976f4ffdbb871a0d593f94d6f7ef0e5a2d
Instruction Fuzzy Hash: 30819F71508305DFDB10EF18D884AABBBE9FF88754F540929FA85D7292DB30D904CB62

Function 0085DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0085DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0085DC46
_wcslen.LIBCMT ref: 0085DC50
_wcsstr.LIBVCRUNTIME ref: 0085DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0085DCBC

Strings

StringFileInfo\, xrefs: 0085DC8F
\VarFileInfo\Translation, xrefs: 0085DCB4
%u.%u.%u.%u, xrefs: 0085DD9A
DefaultLangCodepage, xrefs: 0085DD1F
04090000, xrefs: 0085DCF2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: b92fe5c5db55949eb436d984a1b55798b88a941ca4d06037b523698750a47f9b
Instruction ID: c1af7b45767fa9b4225fd1d601f33177c4f806d651950ad65544daa0ddbb0ab3
Opcode Fuzzy Hash: b92fe5c5db55949eb436d984a1b55798b88a941ca4d06037b523698750a47f9b
Instruction Fuzzy Hash: DB41F3329403057BDB20A669DC07EFF776CFF45761F104069FE04E6292EA78AA4187B6

Function 0087CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0087CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0087CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0087CD48

Part of subcall function 0087CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0087CCAA
Part of subcall function 0087CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0087CCBD
Part of subcall function 0087CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0087CCCF
Part of subcall function 0087CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0087CD05
Part of subcall function 0087CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0087CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0087CCF3

Strings

advapi32.dll, xrefs: 0087CCB8
RegDeleteKeyExW, xrefs: 0087CCC9

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 29c21ceda71371c1436a7f64c4ca72d92a692ffbcfe11e380341b2fbe7a1d41e
Instruction ID: 815e5ca60390422c65d868c37d5d11f59a2433d8e730de260ca1cb11b2bb9426
Opcode Fuzzy Hash: 29c21ceda71371c1436a7f64c4ca72d92a692ffbcfe11e380341b2fbe7a1d41e
Instruction Fuzzy Hash: 44318C71901128BBDB218B54DC88EFFBF7CFF45740F004169A90AE3258DA349E459BB0

Function 00863D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00863D40
_wcslen.LIBCMT ref: 00863D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00863D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00863DBE
RemoveDirectoryW.KERNEL32(?), ref: 00863DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00863E55
CloseHandle.KERNEL32(00000000), ref: 00863E60
CloseHandle.KERNEL32(00000000), ref: 00863E6B

Strings

:, xrefs: 00863D82
\, xrefs: 00863D77
\??\%s, xrefs: 00863D5B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 5e98c4e6660e128f711c9964063d46efb5a4932f911955a3912945dae4901575
Instruction ID: 697e35362e488b2d5cee5ec129158a052a7909ec29fb43a374a94828791cffeb
Opcode Fuzzy Hash: 5e98c4e6660e128f711c9964063d46efb5a4932f911955a3912945dae4901575
Instruction Fuzzy Hash: 4E31AF72900209ABDB219BA4DC49FEF77BCFF88700F1140A5F619D61A4EB7497848B24

Function 0085E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0085E6B4

Part of subcall function 0080E551: timeGetTime.WINMM(?,?,0085E6D4), ref: 0080E555

Sleep.KERNEL32(0000000A), ref: 0085E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0085E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0085E727
SetActiveWindow.USER32 ref: 0085E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0085E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0085E773
Sleep.KERNEL32(000000FA), ref: 0085E77E
IsWindow.USER32 ref: 0085E78A
EndDialog.USER32(00000000), ref: 0085E79B

Strings

BUTTON, xrefs: 0085E719

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0851bee4333f2b3eec1b0018a80a504050f004c93dc2fef934edc9cddbf9a838
Instruction ID: f81961847d37e49383623b0346cc1fadb95ca10a1763ae813d49489d8b307897
Opcode Fuzzy Hash: 0851bee4333f2b3eec1b0018a80a504050f004c93dc2fef934edc9cddbf9a838
Instruction Fuzzy Hash: 1A2181B0200245AFEB159F68ECC9E263B79FB6538AF100425F855C12E5DF75AD08DB35

Function 0085E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0085EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0085EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0085EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0085EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0085EAA7

Strings

status PlayMe mode, xrefs: 0085EA58
open , xrefs: 0085EA0C
alias PlayMe, xrefs: 0085EA36
close PlayMe, xrefs: 0085EA6E, 0085EA9B
play PlayMe, xrefs: 0085EAA2
play PlayMe wait, xrefs: 0085EA91

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: edf20fef74283aad55c820381873bda29406920dd5e96a7b2f0a2d7799886169
Instruction ID: 700ca87edb254bff75cdff5589315739ed8404f136aef88c933566295fb2e757
Opcode Fuzzy Hash: edf20fef74283aad55c820381873bda29406920dd5e96a7b2f0a2d7799886169
Instruction Fuzzy Hash: BB114F31A5022DB9D725E7A5DC4AEFF6A7CFFD1B40F000429B911E22D1EAB81A59C5B0

Function 00855CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00855CE2
GetWindowRect.USER32(00000000,?), ref: 00855CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00855D59
GetDlgItem.USER32(?,00000002), ref: 00855D69
GetWindowRect.USER32(00000000,?), ref: 00855D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00855DCF
GetDlgItem.USER32(?,000003E9), ref: 00855DDD
GetWindowRect.USER32(00000000,?), ref: 00855DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00855E31
GetDlgItem.USER32(?,000003EA), ref: 00855E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00855E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00855E67

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5e530749bb0202fb841718ff74cf2f1ff70076efe13c057ca20cd628aee1d532
Instruction ID: e61f3bb10832893ef3f76d49c77e1fba66d3ff661f8b9c07e92e1b09aeac6570
Opcode Fuzzy Hash: 5e530749bb0202fb841718ff74cf2f1ff70076efe13c057ca20cd628aee1d532
Instruction Fuzzy Hash: EA510C71A00609AFDF18CF68DD99AAEBBB5FF48301F548129F915E6294D770AE04CB60

Function 00808BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00808F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00808BE8,?,00000000,?,?,?,?,00808BBA,00000000,?), ref: 00808FC5

DestroyWindow.USER32(?), ref: 00808C81
KillTimer.USER32(00000000,?,?,?,?,00808BBA,00000000,?), ref: 00808D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00846973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00808BBA,00000000,?), ref: 008469A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00808BBA,00000000,?), ref: 008469B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00808BBA,00000000), ref: 008469D4
DeleteObject.GDI32(00000000), ref: 008469E6

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 850754cbe3bc335f478e94d64bf36f79cf90cb99c7db89c323240ce306429ac7
Instruction ID: 6355359e763cab7e1503273113c2d671d0f196337fbb30a936cf2a4e48429da6
Opcode Fuzzy Hash: 850754cbe3bc335f478e94d64bf36f79cf90cb99c7db89c323240ce306429ac7
Instruction Fuzzy Hash: B3619C30102A14DFEBA5DF28DD88B25BBF1FB52316F504518E082D7AA0CB71A9E4DF61

Function 00809838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00809944: GetWindowLongW.USER32(?,000000EB), ref: 00809952

GetSysColor.USER32(0000000F), ref: 00809862

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 85dc4a3e42b334fc141dae3c6dae1e81437ff4faeaf18f1dc0a0ac2411fff945
Instruction ID: fd7734fbbaf4e5adca244c2b1895c2642719d71716adbac1d225be74e709a219
Opcode Fuzzy Hash: 85dc4a3e42b334fc141dae3c6dae1e81437ff4faeaf18f1dc0a0ac2411fff945
Instruction Fuzzy Hash: FD417E71104644AFDB205F389C88BB93BA5FB46320F148665E9E2CB2E7D7319841DB21

Function 008596E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0083F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00859717
LoadStringW.USER32(00000000,?,0083F7F8,00000001), ref: 00859720

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0083F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00859742
LoadStringW.USER32(00000000,?,0083F7F8,00000001), ref: 00859745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00859866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0085984A
^ ERROR, xrefs: 008597FB
Error: , xrefs: 0085981D
Line %d:, xrefs: 008597A0
Line %d (File "%s"):, xrefs: 0085978F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 6be17f24ee3bb1c42465d6bff2be204f90138392f40057f4fb543c87328a54a8
Instruction ID: e0793f5e7cca950dd2a583fc141ea5e9fba84c8625f12e77216cb0d61fabfab7
Opcode Fuzzy Hash: 6be17f24ee3bb1c42465d6bff2be204f90138392f40057f4fb543c87328a54a8
Instruction Fuzzy Hash: 16410B7280021DEACB05EBA4DD4AEFEB778FF14341F500065F605B2292EA396F48CB61

Function 008506DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008507A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008507BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008507DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00850804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0085082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00850837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0085083C

Strings

\IPC$, xrefs: 00850784
\CLSID, xrefs: 00850724
SOFTWARE\Classes\, xrefs: 0085070E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: e06ac24b410ccabf4b838ee1ad68c88c0f09d6a43daa7b4618d492189f9e5b38
Instruction ID: bc40b6d302870e109bae2bba1804d70ecac03bb233efe8c485aaffb660d17690
Opcode Fuzzy Hash: e06ac24b410ccabf4b838ee1ad68c88c0f09d6a43daa7b4618d492189f9e5b38
Instruction Fuzzy Hash: 7441E672C1022DEADF11EBA4DC89DEDB778FF08390B144129E915A2261EB745E04CBA0

Function 00873C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00873C5C
CoInitialize.OLE32(00000000), ref: 00873C8A
CoUninitialize.OLE32 ref: 00873C94
_wcslen.LIBCMT ref: 00873D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00873DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00873ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00873F0E
CoGetObject.OLE32(?,00000000,0088FB98,?), ref: 00873F2D
SetErrorMode.KERNEL32(00000000), ref: 00873F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00873FC4
VariantClear.OLEAUT32(?), ref: 00873FD8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: e7f24de1137e21dc77c89de3c93ae3812d72c3e67dc95c8fb19502f45bb897cc
Instruction ID: 38d42eac1dc35aa0f773cf09d18227dd650fbab871af3a7cd617485ce3a38a3c
Opcode Fuzzy Hash: e7f24de1137e21dc77c89de3c93ae3812d72c3e67dc95c8fb19502f45bb897cc
Instruction Fuzzy Hash: 05C13471608205AFC710DF68C88492BBBE9FF89748F10891DF98ADB211DB31EE05DB52

Function 00867A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00867AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00867B8F
SHGetDesktopFolder.SHELL32(?), ref: 00867BA3
CoCreateInstance.OLE32(0088FD08,00000000,00000001,008B6E6C,?), ref: 00867BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00867C74
CoTaskMemFree.OLE32(?,?), ref: 00867CCC
SHBrowseForFolderW.SHELL32(?), ref: 00867D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00867D7A
CoTaskMemFree.OLE32(00000000), ref: 00867D81
CoTaskMemFree.OLE32(00000000), ref: 00867DD6
CoUninitialize.OLE32 ref: 00867DDC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 1e406a90f857270b02fad42d26956b0c221a001db32455ab9842d57bd3c72892
Instruction ID: d63c2f141d16c26a434a50bc34dc2601ee6c9b6f18dbb2cf77b7a06f1b3f11b4
Opcode Fuzzy Hash: 1e406a90f857270b02fad42d26956b0c221a001db32455ab9842d57bd3c72892
Instruction Fuzzy Hash: BCC11975A04109EFCB14DFA4C888DAEBBB9FF48318B1584A8E919DB361D734ED45CB90

Function 0088541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00885504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00885515
CharNextW.USER32(00000158), ref: 00885544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00885585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0088559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008855AC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 41ba55416e775d037b5186bf58fc4ff6a4b441ec3fb4ddb009727f3c30c8d434
Instruction ID: 3ae97a4d727f349c0ca5551e16950ec00bb742219e9d64e4dcf2a03522c6e181
Opcode Fuzzy Hash: 41ba55416e775d037b5186bf58fc4ff6a4b441ec3fb4ddb009727f3c30c8d434
Instruction Fuzzy Hash: D7618A74904608EBDF10EF94CC84AFE7BB9FF09725F108159F925EA2A1D7748A80DB61

Function 0084FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0084FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0084FB08
VariantInit.OLEAUT32(?), ref: 0084FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0084FB3A
VariantCopy.OLEAUT32(?,?), ref: 0084FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0084FBA1
VariantClear.OLEAUT32(?), ref: 0084FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0084FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0084FBCC
VariantClear.OLEAUT32(?), ref: 0084FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0084FBE9

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 5e4962cfc5a95f378150b9ad82656d940c5a28088300176e9058ad583d4a98da
Instruction ID: 5204eef062ffbe62850cec248fc8305c371fe1fd0028cfb65de2f9eb3eac1810
Opcode Fuzzy Hash: 5e4962cfc5a95f378150b9ad82656d940c5a28088300176e9058ad583d4a98da
Instruction Fuzzy Hash: 1B413E75A0021DDFCB00DF68D8589AEBBB9FF48354F008069E955E7262CB34A945CFA1

Function 00859C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00859CA1
GetAsyncKeyState.USER32(000000A0), ref: 00859D22
GetKeyState.USER32(000000A0), ref: 00859D3D
GetAsyncKeyState.USER32(000000A1), ref: 00859D57
GetKeyState.USER32(000000A1), ref: 00859D6C
GetAsyncKeyState.USER32(00000011), ref: 00859D84
GetKeyState.USER32(00000011), ref: 00859D96
GetAsyncKeyState.USER32(00000012), ref: 00859DAE
GetKeyState.USER32(00000012), ref: 00859DC0
GetAsyncKeyState.USER32(0000005B), ref: 00859DD8
GetKeyState.USER32(0000005B), ref: 00859DEA

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b5b3893d2e990953ae3e05ef33ce4740a01f9f97b8d9520488fb069b195dc196
Instruction ID: 9708a4bad6af92d5727697def5915bfe372d65f99ffd1aab44707ae392e2a194
Opcode Fuzzy Hash: b5b3893d2e990953ae3e05ef33ce4740a01f9f97b8d9520488fb069b195dc196
Instruction Fuzzy Hash: E34195345047C9ADFF31966488143A5BEB0FF11346F08809ADEC6965C2EBA59DCCC7A2

Function 0087055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 008705BC
inet_addr.WSOCK32(?), ref: 0087061C
gethostbyname.WSOCK32(?), ref: 00870628
IcmpCreateFile.IPHLPAPI ref: 00870636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008706C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008706E5
IcmpCloseHandle.IPHLPAPI(?), ref: 008707B9
WSACleanup.WSOCK32 ref: 008707BF

Strings

Ping, xrefs: 00870676

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ffb9c6da9f8a0aadbb57413b43c78af6e33341bb7be415146705d893b3784e57
Instruction ID: e78a93c26d575334b97a884469ab3ce270175e02a73b33bc6d5b186ae2352d7e
Opcode Fuzzy Hash: ffb9c6da9f8a0aadbb57413b43c78af6e33341bb7be415146705d893b3784e57
Instruction Fuzzy Hash: 64915635608201DFD324DF19C888B2ABBE0FB88358F14C5A9E569DB6A6C735ED41CF91

Function 00878CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00878CF3

Part of subcall function 00858E54: _wcslen.LIBCMT ref: 00858E77

_wcslen.LIBCMT ref: 00878D4E
_wcslen.LIBCMT ref: 00878D9C
_wcslen.LIBCMT ref: 00878DDC
_wcslen.LIBCMT ref: 00878E6E

Strings

cdecl, xrefs: 00878D48, 00878D4D
winapi, xrefs: 00878D96, 00878D9B
none, xrefs: 00878E65, 00878E6A
stdcall, xrefs: 00878DD6, 00878DDB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 49413cd41dc4794ccfdde7ce80e91f80ea84e2c2cc5b59c3dfa7d5ed5a74f6e7
Instruction ID: a7383577b1d7500da3fa1ee4a1782ce1cff85b91eb743c93df9eb086dfcfab9d
Opcode Fuzzy Hash: 49413cd41dc4794ccfdde7ce80e91f80ea84e2c2cc5b59c3dfa7d5ed5a74f6e7
Instruction Fuzzy Hash: 4751A432A4451ADBCB24DF6CC9449BEB7A5FF64314B208229E529E73C8DB34DD40C790

Function 0087372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00873774
CoUninitialize.OLE32 ref: 0087377F
CoCreateInstance.OLE32(?,00000000,00000017,0088FB78,?), ref: 008737D9
IIDFromString.OLE32(?,?), ref: 0087384C
VariantInit.OLEAUT32(?), ref: 008738E4
VariantClear.OLEAUT32(?), ref: 00873936

Strings

Failed to create object, xrefs: 008737E4, 0087389A
Invalid parameter, xrefs: 00873865
NULL Pointer assignment, xrefs: 0087381E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 6139fc190db413649a53cb0339a69aee5a0b9f9f50780de3f11c3ab2ae59a733
Instruction ID: 85ca79cea70356bba95e472ca29e21833925b3c885bf3a88b685d6a28d7ed2b7
Opcode Fuzzy Hash: 6139fc190db413649a53cb0339a69aee5a0b9f9f50780de3f11c3ab2ae59a733
Instruction Fuzzy Hash: 6F617A70608301AFD310DF58C889B6ABBE4FF49754F108829F999DB295D770EA48DB93

Function 00868195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00868257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00868267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00868273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00868310
SetCurrentDirectoryW.KERNEL32(?), ref: 00868324
SetCurrentDirectoryW.KERNEL32(?), ref: 00868356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0086838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00868395

Strings

*.*, xrefs: 0086839B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 67b653cf1c5dec2acdfbf8b933f6d18c8442f3785486ad47a9d785a0afebd506
Instruction ID: 24e59f56ec000a704e23e9cd37b885a552d850b1e5f8794576be6c1a0517eb28
Opcode Fuzzy Hash: 67b653cf1c5dec2acdfbf8b933f6d18c8442f3785486ad47a9d785a0afebd506
Instruction Fuzzy Hash: 276146B2504309DFCB10EF64C8449AEB3E8FF89314F05891AEA99C7351EB35E945CB92

Function 00863388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 008633CF

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 008633F0

Strings

Incorrect parameters to object property !, xrefs: 008634AB
"%s" (%d) : ==> %s:, xrefs: 00863522
Error: , xrefs: 008634D1
^ ERROR , xrefs: 0086349E
"%s" (%d) : ==> %s:%s%s, xrefs: 00863504
Line %d (File "%s"):, xrefs: 00863443, 0086345C

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 51611dec0ca34315e8f6d5f3bda44a0aa8619cbfc322939056d3c4c1f7a993a5
Instruction ID: b1b193cb98d2ea803e2af0e8816532a2d627353336562541ea6748d7521996a6
Opcode Fuzzy Hash: 51611dec0ca34315e8f6d5f3bda44a0aa8619cbfc322939056d3c4c1f7a993a5
Instruction Fuzzy Hash: D0515B71900219EADF15EBA4CD4AEEEB778FF14344F104065F605B2292EB396F58CB61

Function 0085B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0085B5FC
_wcslen.LIBCMT ref: 0085B608
_wcslen.LIBCMT ref: 0085B64D
_wcslen.LIBCMT ref: 0085B68C
_wcslen.LIBCMT ref: 0085B6C7

Strings

EXISTS, xrefs: 0085B686, 0085B68B
KEYS, xrefs: 0085B647, 0085B64C
REMOVE, xrefs: 0085B602, 0085B607
APPEND, xrefs: 0085B6C1, 0085B6C6

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: e5beb502215acb9770c48057e482fb1850bf089466501d5ce6ef4fc752c34a43
Instruction ID: 267e6dc664c03426b88740e2c38c23c517bc3f01e5776e7b982dde2f0838572b
Opcode Fuzzy Hash: e5beb502215acb9770c48057e482fb1850bf089466501d5ce6ef4fc752c34a43
Instruction Fuzzy Hash: C741A532A001269BCB205F7D88915BEBBE5FF70755B244229ED25D7284F735CD89C790

Function 00865393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 008653A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00865416
GetLastError.KERNEL32 ref: 00865420
SetErrorMode.KERNEL32(00000000,READY), ref: 008654A7

Strings

READONLY, xrefs: 00865452
NOTREADY, xrefs: 0086544B
READY, xrefs: 00865460, 00865468
INVALID, xrefs: 00865459
UNKNOWN, xrefs: 00865444

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a991a2b238a0b81a1565596b164aefc4d850541ad5f3608a8371c211db98bcad
Instruction ID: 79f4d683aafc484c6a9a75fd76ec16e2f6477c7800a911ee377eb16e22ac97fb
Opcode Fuzzy Hash: a991a2b238a0b81a1565596b164aefc4d850541ad5f3608a8371c211db98bcad
Instruction Fuzzy Hash: E431B2B5A00608DFC710DF68C489EAABBB4FF04305F1580A5E505DB392EB75DD86CBA0

Function 00883C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00883C79
SetMenu.USER32(?,00000000), ref: 00883C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00883D10
IsMenu.USER32(?), ref: 00883D24
CreatePopupMenu.USER32 ref: 00883D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00883D5B
DrawMenuBar.USER32 ref: 00883D63

Strings

F, xrefs: 00883D4E
0, xrefs: 00883C54

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: b653c6d6b1cb9b1bb8e5a0462273ce0183aa49e67a1950d074848735da4e55fa
Instruction ID: 0aff694d520c0090c4cf5559822a63d6a6fb972037295978471378ed3e7c630b
Opcode Fuzzy Hash: b653c6d6b1cb9b1bb8e5a0462273ce0183aa49e67a1950d074848735da4e55fa
Instruction Fuzzy Hash: C2414875A01209EFDF14DF64E884EAABBB5FF49750F144029E946E7360D730AA10CBA4

Function 00883A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00883A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00883AA0
GetWindowLongW.USER32(?,000000F0), ref: 00883AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00883AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00883B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00883BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00883BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00883BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00883BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00883C13

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 1f0f1a98951297173389ae10f9183a1ba7887e64292247d485f64a0eade6b64f
Instruction ID: 93feda79609e9977004dc6f59acdb698865646644f262b39c1b4b63b919c6b7d
Opcode Fuzzy Hash: 1f0f1a98951297173389ae10f9183a1ba7887e64292247d485f64a0eade6b64f
Instruction Fuzzy Hash: 476159B5900248AFDB11EFA8CC85EEE77B8FB09710F100199FA15E72A2D774AA45DB50

Function 0085B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0085B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0085A1E1,?,00000001), ref: 0085B165
GetWindowThreadProcessId.USER32(00000000), ref: 0085B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0085A1E1,?,00000001), ref: 0085B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0085B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0085A1E1,?,00000001), ref: 0085B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0085A1E1,?,00000001), ref: 0085B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0085A1E1,?,00000001), ref: 0085B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0085A1E1,?,00000001), ref: 0085B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0085A1E1,?,00000001), ref: 0085B21D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: db56465e6f477d11d416b0ac810603693c3c6ee2ebf32f967db18b5e7ceb14af
Instruction ID: 246ac6f2224f3abac8eae3171ab3eba3d53ddc00fde012189e44ace53ffbefbd
Opcode Fuzzy Hash: db56465e6f477d11d416b0ac810603693c3c6ee2ebf32f967db18b5e7ceb14af
Instruction Fuzzy Hash: 8B3189B6540A04AFDB109F68EC48FAD7BB9FB61352F108019FE01D6190D7B49A458F74

Function 00822C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00822C94

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 00822CA0
_free.LIBCMT ref: 00822CAB
_free.LIBCMT ref: 00822CB6
_free.LIBCMT ref: 00822CC1
_free.LIBCMT ref: 00822CCC
_free.LIBCMT ref: 00822CD7
_free.LIBCMT ref: 00822CE2
_free.LIBCMT ref: 00822CED
_free.LIBCMT ref: 00822CFB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f212acaa66eddc7ee2f978f1618bfbbfe0e7f35f8d5266334e5afad641c8bd6c
Instruction ID: b5a43db8e355ac3ed8652f1b4182ffc1b79fef17cc8c06494f31903d63f20288
Opcode Fuzzy Hash: f212acaa66eddc7ee2f978f1618bfbbfe0e7f35f8d5266334e5afad641c8bd6c
Instruction Fuzzy Hash: D2116676500118BFCB02EF98E942DDD3FA5FF09350F9145A5FA489B222D631EAD09B91

Function 00867DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00867FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00867FC1
GetFileAttributesW.KERNEL32(?), ref: 00867FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00868005
SetCurrentDirectoryW.KERNEL32(?), ref: 00868017
SetCurrentDirectoryW.KERNEL32(?), ref: 00868060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 008680B0

Strings

*.*, xrefs: 00868066

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 9e9340b8b20e89b8a89833f6e953440e8dcc7df691fb483ae041193cb61085cf
Instruction ID: 8980fa732cc974728d14ea8714f93af2b010abb5e6ec3153cb3d351be181d47b
Opcode Fuzzy Hash: 9e9340b8b20e89b8a89833f6e953440e8dcc7df691fb483ae041193cb61085cf
Instruction Fuzzy Hash: A581AF72508245DBCB20EF54C8449AAB3E8FF88718F154D6AF989C7250EB36DD49CB92

Function 007F5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007F5C7A

Part of subcall function 007F5D0A: GetClientRect.USER32(?,?), ref: 007F5D30
Part of subcall function 007F5D0A: GetWindowRect.USER32(?,?), ref: 007F5D71
Part of subcall function 007F5D0A: ScreenToClient.USER32(?,?), ref: 007F5D99

GetDC.USER32 ref: 008346F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00834708
SelectObject.GDI32(00000000,00000000), ref: 00834716
SelectObject.GDI32(00000000,00000000), ref: 0083472B
ReleaseDC.USER32(?,00000000), ref: 00834733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008347C4

Strings

U, xrefs: 00834693

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7377d8a9406ca845e6ae7c79a58743b97251caca150128e969296b332ab36a30
Instruction ID: d1a4e1530457f5abba82671c093ea4ea781fd30feb6ce50cecbbdc352f6869bd
Opcode Fuzzy Hash: 7377d8a9406ca845e6ae7c79a58743b97251caca150128e969296b332ab36a30
Instruction Fuzzy Hash: 23710331400209DFCF218F64C985ABA3BB1FF86314F141269EE529A266D334A841DFA0

Function 0086359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 008635E4

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

LoadStringW.USER32(008C2390,?,00000FFF,?), ref: 0086360A

Strings

"%s" (%d) : ==> %s:, xrefs: 00863742
^ ERROR, xrefs: 008636C9
Error: , xrefs: 008636EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00863724
Line %d (File "%s"):, xrefs: 0086366B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 6c7cfb8910f0ff20a80ea8a5db3eee97aa6be12e90726df6506ea0672e756eb7
Instruction ID: 0285696a76ae723a06d41427977fc1cd670ad7d1e06d97105c3d16f295c1f0cb
Opcode Fuzzy Hash: 6c7cfb8910f0ff20a80ea8a5db3eee97aa6be12e90726df6506ea0672e756eb7
Instruction Fuzzy Hash: C9516C7180021DEADF15EBA4DC46EEEBB78FF14340F144125F605B22A2EB381A98DB61

Function 00888B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

Part of subcall function 0080912D: GetCursorPos.USER32(?), ref: 00809141
Part of subcall function 0080912D: ScreenToClient.USER32(00000000,?), ref: 0080915E
Part of subcall function 0080912D: GetAsyncKeyState.USER32(00000001), ref: 00809183
Part of subcall function 0080912D: GetAsyncKeyState.USER32(00000002), ref: 0080919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00888B6B
ImageList_EndDrag.COMCTL32 ref: 00888B71
ReleaseCapture.USER32 ref: 00888B77
SetWindowTextW.USER32(?,00000000), ref: 00888C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00888C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00888CFF

Strings

@GUI_DRAGFILE, xrefs: 00888C9A
@GUI_DROPID, xrefs: 00888C51

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 78c3b7ccadebf8986ba9bbeb019e544a87e9235b512fa198bff0ff3ddfa6e6c1
Instruction ID: 46d3c9e78f248fae1e15c47444d5792fe405757aa926b514768ee0f7a3b4228c
Opcode Fuzzy Hash: 78c3b7ccadebf8986ba9bbeb019e544a87e9235b512fa198bff0ff3ddfa6e6c1
Instruction Fuzzy Hash: 70519E71104304AFDB00EF24DC99FAA77E5FB88754F40062DFA56972E2DB749908CB62

Function 0086C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0086C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0086C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0086C2CA
GetLastError.KERNEL32 ref: 0086C322
SetEvent.KERNEL32(?), ref: 0086C336
InternetCloseHandle.WININET(00000000), ref: 0086C341

Strings

, xrefs: 0086C2BB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 46f737dc21e63ba7571b9ff801664f3b0c57c9f33349f09e889bac7c51acefe0
Instruction ID: b83cd2d100ac384b28af36f721416f01d3b5ce68217a205ec0b99840b0deab44
Opcode Fuzzy Hash: 46f737dc21e63ba7571b9ff801664f3b0c57c9f33349f09e889bac7c51acefe0
Instruction Fuzzy Hash: 533169B1600608AFD721AFA99988ABB7AFCFB49744F11851EF486D6301DB34DD049B71

Function 0085989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00833AAF,?,?,Bad directive syntax error,0088CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 008598BC
LoadStringW.USER32(00000000,?,00833AAF,?), ref: 008598C3

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00859987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 008598F1
Line %d:, xrefs: 00859912
Error: , xrefs: 00859955
Line %d (File "%s"):, xrefs: 0085992D
., xrefs: 0085996D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 2ec3781311770608c4fa406b7bdbdeedc779fcd63700d0e7f15874bd6e7dd621
Instruction ID: cbc658878ab02f6db21053dd665a587688a319df1323f8ff27017ba1941f5c09
Opcode Fuzzy Hash: 2ec3781311770608c4fa406b7bdbdeedc779fcd63700d0e7f15874bd6e7dd621
Instruction Fuzzy Hash: B8216F3180021EEBCF11EF94CC0AEEE7779FF18341F044465F615A12A2EA399628CB61

Function 0085209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 008520AB
GetClassNameW.USER32(00000000,?,00000100), ref: 008520C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0085214D

Strings

list, xrefs: 0085212F
largeicons, xrefs: 008520E1
smallicons, xrefs: 00852115
details, xrefs: 008520FB
SHELLDLL_DefView, xrefs: 008520CC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 5223b2981102d6cdcbb86082281a65e0f1775580994cd22bcb583f2ef49eb260
Instruction ID: 7cc32e35978611f1c796e4d3350734dab802070562b6c472d2b0121905c769f9
Opcode Fuzzy Hash: 5223b2981102d6cdcbb86082281a65e0f1775580994cd22bcb583f2ef49eb260
Instruction Fuzzy Hash: 0911237A2C8B06B9FA056228AC06DE7379CFF16326B20002AFE04E41D1FE6578495A14

Function 00828D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91889852663cb6c06ba4b31504011c1de73c963c604996d9a730e49d40c74d03
Instruction ID: 8520d00e50f189ad887e7aff5e75576ea52483a7e18c251e188af4bfa7b1b40d
Opcode Fuzzy Hash: 91889852663cb6c06ba4b31504011c1de73c963c604996d9a730e49d40c74d03
Instruction Fuzzy Hash: 2AC1BDB5A0426DEFDF119FACE841BADBBB4FF09310F044099E955E7292CB309981CB61

Function 0082CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0082CEB7
_free.LIBCMT ref: 0082CF22
_free.LIBCMT ref: 0082CF48
_free.LIBCMT ref: 0082CF71
_free.LIBCMT ref: 0082CFA9
_free.LIBCMT ref: 0082CFDA
_free.LIBCMT ref: 0082D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0082D09C
_free.LIBCMT ref: 0082D0B5

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 9661e16156e8a94b0831b05af4be75218b44c5a7dbb6d9ce299280b68b042a94
Instruction ID: c966200ed25b6342b2fcda6e8af55b9d11b76446821d5992432cbefaf2635f73
Opcode Fuzzy Hash: 9661e16156e8a94b0831b05af4be75218b44c5a7dbb6d9ce299280b68b042a94
Instruction Fuzzy Hash: 1C614771904324AFDB21AFB8BD81A7D7BA5FF05350F14026DF905D7282EBB199C18791

Function 008850D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00885186
ShowWindow.USER32(?,00000000), ref: 008851C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 008851CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 008851D1

Part of subcall function 00886FBA: DeleteObject.GDI32(00000000), ref: 00886FE6

GetWindowLongW.USER32(?,000000F0), ref: 0088520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0088521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0088524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00885287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00885296

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 2476cd550d0bfd8b20501f39aca6f3411b24e3ae46643b726e8752c2f86fe2a9
Instruction ID: 863bed9a173279fed0652e9b04ff79326c516e5590fc99eee5c4b3d36eeaf2a8
Opcode Fuzzy Hash: 2476cd550d0bfd8b20501f39aca6f3411b24e3ae46643b726e8752c2f86fe2a9
Instruction Fuzzy Hash: 7A51BE34A50A08FFEF20BF28CC4ABD87BA5FB05325F148012F625D62E1CB75A990DB51

Function 00808B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00846890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 008468A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008468B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 008468D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008468F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00808874,00000000,00000000,00000000,000000FF,00000000), ref: 00846901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0084691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00808874,00000000,00000000,00000000,000000FF,00000000), ref: 0084692D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 4c14a95c5f103e5802648cd4a79d068deaa814d6655bb41a4c7096630e10bdc9
Instruction ID: 4ae028f521cad4cb000a0a13f6e40e85566e09c3cc12e54dcd64f6ce8dd36165
Opcode Fuzzy Hash: 4c14a95c5f103e5802648cd4a79d068deaa814d6655bb41a4c7096630e10bdc9
Instruction Fuzzy Hash: 7D513A70600209EFDB20CF28CC95FAA7BB5FB55764F104528F996D62E0EB70E990DB50

Function 0086C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0086C182
GetLastError.KERNEL32 ref: 0086C195
SetEvent.KERNEL32(?), ref: 0086C1A9

Part of subcall function 0086C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0086C272
Part of subcall function 0086C253: GetLastError.KERNEL32 ref: 0086C322
Part of subcall function 0086C253: SetEvent.KERNEL32(?), ref: 0086C336
Part of subcall function 0086C253: InternetCloseHandle.WININET(00000000), ref: 0086C341

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 44551cee5e1bed3757e557f231106ff491e5b8ee38a9e6b3757f8ea89ec9507c
Instruction ID: 1b5a669726356d989f65d36d23fe4475e92b27a95682885582f0b9e529c15618
Opcode Fuzzy Hash: 44551cee5e1bed3757e557f231106ff491e5b8ee38a9e6b3757f8ea89ec9507c
Instruction Fuzzy Hash: 0D318B71200605AFDB219FA9DC54A77BBF9FF18300B01842EF99AC2715DB31E8149BA0

Function 008525A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00853A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00853A57
Part of subcall function 00853A3D: GetCurrentThreadId.KERNEL32 ref: 00853A5E
Part of subcall function 00853A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008525B3), ref: 00853A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 008525BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008525DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 008525DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 008525E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00852601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00852605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0085260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00852623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00852627

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: b426d32c2a1af4f8c2de8c0e35fb3704fde155b183e224b2fb59e7fcc3675f94
Instruction ID: b700fbebfc29654a883cb34c063d138a923bfadcebfeed662f75238b13e98b43
Opcode Fuzzy Hash: b426d32c2a1af4f8c2de8c0e35fb3704fde155b183e224b2fb59e7fcc3675f94
Instruction Fuzzy Hash: 3001B131290624BBFB10676C9C8EF593F59EB5AB52F100015F718AE0D9C9F228488A7A

Function 00851803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00851449,?,?,00000000), ref: 0085180C
HeapAlloc.KERNEL32(00000000,?,00851449,?,?,00000000), ref: 00851813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00851449,?,?,00000000), ref: 00851828
GetCurrentProcess.KERNEL32(?,00000000,?,00851449,?,?,00000000), ref: 00851830
DuplicateHandle.KERNEL32(00000000,?,00851449,?,?,00000000), ref: 00851833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00851449,?,?,00000000), ref: 00851843
GetCurrentProcess.KERNEL32(00851449,00000000,?,00851449,?,?,00000000), ref: 0085184B
DuplicateHandle.KERNEL32(00000000,?,00851449,?,?,00000000), ref: 0085184E
CreateThread.KERNEL32(00000000,00000000,00851874,00000000,00000000,00000000), ref: 00851868

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0c16a24e45dddf616322d0f6113391ea79a87ad4fc5b97f01976afb0fca55608
Instruction ID: f6cc535b2c305e50a9bba41ac0d5ea21298130a2b47e55b5d81e5d829a168a78
Opcode Fuzzy Hash: 0c16a24e45dddf616322d0f6113391ea79a87ad4fc5b97f01976afb0fca55608
Instruction Fuzzy Hash: E801BF75240304BFE710ABA9DC8DF577B6CFB89B11F004411FA05DB295D675A804CB30

Function 0087A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0085D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0085D501
Part of subcall function 0085D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0085D50F
Part of subcall function 0085D4DC: CloseHandle.KERNEL32(00000000), ref: 0085D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0087A16D
GetLastError.KERNEL32 ref: 0087A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0087A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0087A268
GetLastError.KERNEL32(00000000), ref: 0087A273
CloseHandle.KERNEL32(00000000), ref: 0087A2C4

Strings

SeDebugPrivilege, xrefs: 0087A18F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 78e8a17f9aaeb6dd74b2173a701da9c252162d77a1e09ea27a57eb9348f8f1fc
Instruction ID: 9f33ffb9f84b9212088f650659a10b0d002b411617ed6034a1547c0b8445d561
Opcode Fuzzy Hash: 78e8a17f9aaeb6dd74b2173a701da9c252162d77a1e09ea27a57eb9348f8f1fc
Instruction Fuzzy Hash: 98616B312082429FD714DF18C498F29BBA1FF84318F58849CE46A8B7A7C776EC45CB92

Function 00883886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00883925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0088393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00883954
_wcslen.LIBCMT ref: 00883999
SendMessageW.USER32(?,00001057,00000000,?), ref: 008839C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 008839F4

Strings

SysListView32, xrefs: 008838F7

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 6a1a4f68e09624e0e191a73a5cf1d9d06010c1d8184ad3a20bc38eb95ab8edbc
Instruction ID: 8220dde5c08fa69392a275952b5d5429a69251fa76564f61d8e69d48e95dd430
Opcode Fuzzy Hash: 6a1a4f68e09624e0e191a73a5cf1d9d06010c1d8184ad3a20bc38eb95ab8edbc
Instruction Fuzzy Hash: 4F41A471A00219ABDF21AF64CC49FEA7BA9FF08750F100526F958E7281D7759E84CB90

Function 0085BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0085BCFD
IsMenu.USER32(00000000), ref: 0085BD1D
CreatePopupMenu.USER32 ref: 0085BD53
GetMenuItemCount.USER32(014858D0), ref: 0085BDA4
InsertMenuItemW.USER32(014858D0,?,00000001,00000030), ref: 0085BDCC

Strings

0, xrefs: 0085BCA8
2, xrefs: 0085BD37

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: dd44edea29bee004ce2ad290e90b2fd3f1198e2f4bab0dbffe1ddaacdc2bc481
Instruction ID: 48e6acd2028792282b787ed450e9ebdce1363fd99259cbdac63a2b9ee43e53c1
Opcode Fuzzy Hash: dd44edea29bee004ce2ad290e90b2fd3f1198e2f4bab0dbffe1ddaacdc2bc481
Instruction Fuzzy Hash: 8E519C70A002099BDF10CFA8D888BAEBBF4FF65316F144159EC11D7291D7749948CB62

Function 0085C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0085C913

Strings

blank, xrefs: 0085C895
stop, xrefs: 0085C8E4
question, xrefs: 0085C8CC
info, xrefs: 0085C8B4
warning, xrefs: 0085C8FC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 46ad28bcd92e3e17fead2e73cd109a0c056be55ed5af135006a292714acea74e
Instruction ID: ad99c7a929c4d78dd891e53379b0ebd7aef172892ba312cd60c046a2612dea48
Opcode Fuzzy Hash: 46ad28bcd92e3e17fead2e73cd109a0c056be55ed5af135006a292714acea74e
Instruction Fuzzy Hash: 2211303268930ABEE7005B149C83CEA6B9CFF15759B20003AFD04E53C2E7745D445669

Function 0085ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0085ED2A
_wcslen.LIBCMT ref: 0085ED3B
_wcslen.LIBCMT ref: 0085ED79
_wcslen.LIBCMT ref: 0085EDAF
_wcslen.LIBCMT ref: 0085EDDF
_wcslen.LIBCMT ref: 0085EDEF
_wcslen.LIBCMT ref: 0085EE2B
_wcslen.LIBCMT ref: 0085EE5A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 8bbc77412f691de0a11a6bbaa8370c1a966c65d2139a3b1c1798eaaa838f2609
Instruction ID: 21fa03be186cdc7aedb692035b26164c2b6130f84715d6214ed1010540c92e48
Opcode Fuzzy Hash: 8bbc77412f691de0a11a6bbaa8370c1a966c65d2139a3b1c1798eaaa838f2609
Instruction Fuzzy Hash: 8F413F65C1021865CB11EBF88C8AACFB7ADFF45710F508566E918E3122FB34E795C3A6

Function 0080F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0084682C,00000004,00000000,00000000), ref: 0080F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0084682C,00000004,00000000,00000000), ref: 0084F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0084682C,00000004,00000000,00000000), ref: 0084F454

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 581f9054bd3d554e244e0710c40851dfb5b523c658a824988d0e48b5595904dc
Instruction ID: 0a8c8d3d712c0b9c18ee91c23c461ccbf1619207b48c96372110ec7f23692910
Opcode Fuzzy Hash: 581f9054bd3d554e244e0710c40851dfb5b523c658a824988d0e48b5595904dc
Instruction Fuzzy Hash: 6241E831608644BAD7B59B2D9C88B2A7E91FF96314F14C43DE347D2EB3D631A881CB11

Function 00882D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00882D1B
GetDC.USER32(00000000), ref: 00882D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00882D2E
ReleaseDC.USER32(00000000,00000000), ref: 00882D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00882D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00882D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00885A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00882DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00882DE1

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0470ccb0179713b47f30ab248e37fbe26d8ca9106758687563354749a057f847
Instruction ID: af1988d46168bdc2d8ecfc346540b51a9d51768ed9dcaa2fbfc372d85b1ce5bd
Opcode Fuzzy Hash: 0470ccb0179713b47f30ab248e37fbe26d8ca9106758687563354749a057f847
Instruction Fuzzy Hash: CF318776201214BBEB219F688C8AFEB3FA9FF09751F044065FE08DA291D6759C40CBB0

Function 00855622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00855637
_memcmp.LIBVCRUNTIME ref: 00855659
_memcmp.LIBVCRUNTIME ref: 00855671
_memcmp.LIBVCRUNTIME ref: 00855684
_memcmp.LIBVCRUNTIME ref: 0085569E
_memcmp.LIBVCRUNTIME ref: 008556B1
_memcmp.LIBVCRUNTIME ref: 008556C9
_memcmp.LIBVCRUNTIME ref: 008556E4

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 72f7057513c4f73675090b1bc3d4b5114729443fcca60a85785112611ae504c1
Instruction ID: c5d84a91006c2bd1aa6e74ff322689279b4913640bde07fde9a5037a63e06baa
Opcode Fuzzy Hash: 72f7057513c4f73675090b1bc3d4b5114729443fcca60a85785112611ae504c1
Instruction Fuzzy Hash: C6212CA174091DB7D61465158DA2FFA339DFF30386F540020FF14DA742F728EE1886A6

Function 00874FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0087502E, 00875383
Not an Object type, xrefs: 00875007

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 90bd0f5826759ba8dc86f548f34f6ce27dc6c2e950bc20b1e2d401ccd1fdb6d8
Instruction ID: 7ec2f3ea9d26f677c2b4a83b8dc34469800c6f10dd04509c806be35eef9b294d
Opcode Fuzzy Hash: 90bd0f5826759ba8dc86f548f34f6ce27dc6c2e950bc20b1e2d401ccd1fdb6d8
Instruction Fuzzy Hash: 14D18F71A0060A9FDB10CFA8C881BAEB7B5FF48344F14C469E919EB295E7B1DD45CB60

Function 00831522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,008317FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 008315CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00831651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,008317FB,?,008317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008316E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,008317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 008316FB

Part of subcall function 00823820: RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,008317FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00831777
__freea.LIBCMT ref: 008317A2
__freea.LIBCMT ref: 008317AE

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d7ed867ced2baff4d93f5529ce9248e8fef8aaa1ddbc7d92adf32757099e6481
Instruction ID: 9f17cfc4b15f7045e2b4af24fe781a87cdf365916643e3f790b57403bc2d0473
Opcode Fuzzy Hash: d7ed867ced2baff4d93f5529ce9248e8fef8aaa1ddbc7d92adf32757099e6481
Instruction Fuzzy Hash: 25919271E0021A9ADF208FA4CC89AEE7BB5FF99B14F184659E801E7245DB35DC40CBE0

Function 00874523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00874648
VariantInit.OLEAUT32(?), ref: 00874749
VariantClear.OLEAUT32(?), ref: 00874753
VariantClear.OLEAUT32(?), ref: 008747B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 008745D8, 00874706, 008747BE
Incorrect Object type in FOR..IN loop, xrefs: 0087472C

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 76eda5c34f25e62cd53406fe2b24a30a981bdcbe4ea1ddfe05c0171248c3ed89
Instruction ID: 8625d2cf6c5eb74788235bf2d7f8d9b45f88c6a2a5be64a46f0a59eaf342ff74
Opcode Fuzzy Hash: 76eda5c34f25e62cd53406fe2b24a30a981bdcbe4ea1ddfe05c0171248c3ed89
Instruction Fuzzy Hash: E5919B31A00219ABDF24CFA4C888EAEBBB8FF46754F108559F519EB284D770D945CFA0

Function 00861187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0086125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00861284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 008612A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008612D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0086135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 008613C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00861430

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 32cb19f6ef932f843d178e1aff33e79efed579fa969cc323180a713e6eec5fc7
Instruction ID: 4bc300355695b122f0ea879a4062f3e40162277d3e5cd54a2b8b246ff0eafe29
Opcode Fuzzy Hash: 32cb19f6ef932f843d178e1aff33e79efed579fa969cc323180a713e6eec5fc7
Instruction Fuzzy Hash: 2F91E471A002099FDF00DFA8C899BBEB7B5FF45314F1A4029E901EB392DB74A941CB95

Function 0080948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 27d3f5196477b1724f94cf009698cd03b275db89e21ced876f07f70fed5d7f3b
Instruction ID: e6b099646ad7a1b53fe9cb2948c15f83e218fe1610fb5cdbda9b297068c97672
Opcode Fuzzy Hash: 27d3f5196477b1724f94cf009698cd03b275db89e21ced876f07f70fed5d7f3b
Instruction Fuzzy Hash: 3F911371900219EFCB50CFA9CC84AEEBBB8FF49324F148559E555F7292D374AA42CB60

Function 00873947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0087396B
CharUpperBuffW.USER32(?,?), ref: 00873A7A
_wcslen.LIBCMT ref: 00873A8A
VariantClear.OLEAUT32(?), ref: 00873C1F

Part of subcall function 00860CDF: VariantInit.OLEAUT32(00000000), ref: 00860D1F
Part of subcall function 00860CDF: VariantCopy.OLEAUT32(?,?), ref: 00860D28
Part of subcall function 00860CDF: VariantClear.OLEAUT32(?), ref: 00860D34

Strings

AUTOIT.ERROR, xrefs: 00873A80, 00873A85
Incorrect Parameter format, xrefs: 008739A6, 00873BA1

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 1667e73a91944fcda513fd1080199237d984f60f6ffcf5291b32997081b4982a
Instruction ID: 80d98775e9b121d1bd1425c85d76dd3b5e7b1cec787cef5c6d2c956ea0fffa9e
Opcode Fuzzy Hash: 1667e73a91944fcda513fd1080199237d984f60f6ffcf5291b32997081b4982a
Instruction Fuzzy Hash: 009133756083059FC704EF28C48596AB7E4FF89314F14882EF98ADB351DB31EA45DB92

Function 00874BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0085000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?,?,0085035E), ref: 0085002B
Part of subcall function 0085000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850046
Part of subcall function 0085000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850054
Part of subcall function 0085000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?), ref: 00850064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00874C51
_wcslen.LIBCMT ref: 00874D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00874DCF
CoTaskMemFree.OLE32(?), ref: 00874DDA

Strings

NULL Pointer assignment, xrefs: 00874E23, 00874E52

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: e319da1650646787939d4577b4c1d17fea2fbb56a8267d35b9a2c3e99346eb11
Instruction ID: a314f436bb399192db051c43398b030738e96a21ee80d94979e067b6f53f04f8
Opcode Fuzzy Hash: e319da1650646787939d4577b4c1d17fea2fbb56a8267d35b9a2c3e99346eb11
Instruction Fuzzy Hash: DD912471D0021DEBDF20DFA4C880AEEBBB8FF08314F108169E919A7255EB349A448F61

Function 008820FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00882183
GetMenuItemCount.USER32(00000000), ref: 008821B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 008821DD
_wcslen.LIBCMT ref: 00882213
GetMenuItemID.USER32(?,?), ref: 0088224D
GetSubMenu.USER32(?,?), ref: 0088225B

Part of subcall function 00853A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00853A57
Part of subcall function 00853A3D: GetCurrentThreadId.KERNEL32 ref: 00853A5E
Part of subcall function 00853A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008525B3), ref: 00853A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 008822E3

Part of subcall function 0085E97B: Sleep.KERNEL32 ref: 0085E9F3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: d0aab72d8c7094f53d836d7574059f47546fd396ae0ab62a08c037d596e42177
Instruction ID: baed5f38afa83a5aecd91bde8183b6be7a0aa30fe754e6ae28389e083bdcd158
Opcode Fuzzy Hash: d0aab72d8c7094f53d836d7574059f47546fd396ae0ab62a08c037d596e42177
Instruction Fuzzy Hash: 20717F75A00219EFCB14EF68C885AAEB7F5FF48310F148469E916EB355D734ED418BA0

Function 0085AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0085AEF9
GetKeyboardState.USER32(?), ref: 0085AF0E
SetKeyboardState.USER32(?), ref: 0085AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0085AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0085AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0085AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0085B020

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 31dedeb56837169bb720792f74fe3b0522fcc73327bd40322bdc2262c040dd7e
Instruction ID: 24440df34dab7a2bdf644837309bb38026b8bbb3616b64d36bc16a42dbb0930e
Opcode Fuzzy Hash: 31dedeb56837169bb720792f74fe3b0522fcc73327bd40322bdc2262c040dd7e
Instruction Fuzzy Hash: 2451E5A06047D53DFB368238CC45BBABEA9BB06306F088589E9D5D54C2D798ACCCD761

Function 0085ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0085AD19
GetKeyboardState.USER32(?), ref: 0085AD2E
SetKeyboardState.USER32(?), ref: 0085AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0085ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0085ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0085AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0085AE38

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 5d40fd7765e3307d7a27406ec85592c7216a6b3c93f7669dd069d0688eb99858
Instruction ID: 299c405818b38f64051fc855854ea23e5ab46b4597980ded71b6ade6132ab1db
Opcode Fuzzy Hash: 5d40fd7765e3307d7a27406ec85592c7216a6b3c93f7669dd069d0688eb99858
Instruction Fuzzy Hash: 1F51F9A15047D53DFB3A93348CC6B7ABEA8FB05302F088648E5D5D68C2D294EC8CD762

Function 0082542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00833CD6,?,?,?,?,?,?,?,?,00825BA3,?,?,00833CD6,?,?), ref: 00825470
__fassign.LIBCMT ref: 008254EB
__fassign.LIBCMT ref: 00825506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00833CD6,00000005,00000000,00000000), ref: 0082552C
WriteFile.KERNEL32(?,00833CD6,00000000,00825BA3,00000000,?,?,?,?,?,?,?,?,?,00825BA3,?), ref: 0082554B
WriteFile.KERNEL32(?,?,00000001,00825BA3,00000000,?,?,?,?,?,?,?,?,?,00825BA3,?), ref: 00825584

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 0c15c57fa3401a23cc8d843f9ed9421f55b48e912e3ca7e715a4d1be4cf071d0
Instruction ID: 3bd569fc1934167ba4bdc80526f355d6d24038f10a8d2594defcdd7df59d2039
Opcode Fuzzy Hash: 0c15c57fa3401a23cc8d843f9ed9421f55b48e912e3ca7e715a4d1be4cf071d0
Instruction Fuzzy Hash: 0E51D3B0A006199FDB10CFA8E995AEEBBF9FF09301F14451AF955E7291D7309A81CB60

Function 00812D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00812D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00812D53
_ValidateLocalCookies.LIBCMT ref: 00812DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00812E0C
_ValidateLocalCookies.LIBCMT ref: 00812E61

Strings

csm, xrefs: 00812DF6

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cb4d13861d52822a71b379a0c4273754194a3414e0e4ae7cc27e6c42d9cd9f7a
Instruction ID: f4f949b35a1172998ddaca79c4c188566eead74546d06f362f8686503e50d376
Opcode Fuzzy Hash: cb4d13861d52822a71b379a0c4273754194a3414e0e4ae7cc27e6c42d9cd9f7a
Instruction Fuzzy Hash: 3A419134A0020DABCF10DF68D845ADEBBB9FF45324F148165E914EB392D731AAA5CBD1

Function 008710B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0087304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0087307A
Part of subcall function 0087304E: _wcslen.LIBCMT ref: 0087309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00871112
WSAGetLastError.WSOCK32 ref: 00871121
WSAGetLastError.WSOCK32 ref: 008711C9
closesocket.WSOCK32(00000000), ref: 008711F9

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: a8865ebdaf0031bc3027e98cf1899060474627e2056359e490531c97c2de8c10
Instruction ID: aa45dfe3969d7af68c8a44daab23ee73b1ce7eee29f55797ad43a5ebbce53050
Opcode Fuzzy Hash: a8865ebdaf0031bc3027e98cf1899060474627e2056359e490531c97c2de8c10
Instruction Fuzzy Hash: 6C419E31600208AFDB109F58C889AA9B7A9FF45328F548059F919DF299C774ED41CBB1

Function 0085CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0085DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0085CF22,?), ref: 0085DDFD

Part of subcall function 0085DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0085CF22,?), ref: 0085DE16

lstrcmpiW.KERNEL32(?,?), ref: 0085CF45
MoveFileW.KERNEL32(?,?), ref: 0085CF7F
_wcslen.LIBCMT ref: 0085D005
_wcslen.LIBCMT ref: 0085D01B
SHFileOperationW.SHELL32(?), ref: 0085D061

Strings

\*.*, xrefs: 0085CFF3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: d4b7e19aad7e7654e1f3c166faff96ba43fb3daf0d2834c5871141d1f61ccc29
Instruction ID: 52027f76c0bdb75f2a992c8d2fda50a3030d7557c88071081b0eba346617c407
Opcode Fuzzy Hash: d4b7e19aad7e7654e1f3c166faff96ba43fb3daf0d2834c5871141d1f61ccc29
Instruction Fuzzy Hash: 514110719452189FDF22EBA4DD81ADEB7B9FF08381F1000A6E905EB141EE74A688CF51

Function 00882DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00882E1C
GetWindowLongW.USER32(?,000000F0), ref: 00882E4F
GetWindowLongW.USER32(?,000000F0), ref: 00882E84
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00882EB6
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00882EE0
GetWindowLongW.USER32(?,000000F0), ref: 00882EF1
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00882F0B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e76725aae5868f1bd9416b63f0b856791c9a4fbb8b008a33885b195db613ad2e
Instruction ID: 28199764ef328adfbf3c954b69fd9eed49c5a2c7078632732f55af446b1052e3
Opcode Fuzzy Hash: e76725aae5868f1bd9416b63f0b856791c9a4fbb8b008a33885b195db613ad2e
Instruction Fuzzy Hash: B631FE30604254AFEB61EF58DC88FA53BA1FB9A710F5501A5FA01CB2B2CB71BC44DB55

Function 00857726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00857769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0085778F
SysAllocString.OLEAUT32(00000000), ref: 00857792
SysAllocString.OLEAUT32(?), ref: 008577B0
SysFreeString.OLEAUT32(?), ref: 008577B9
StringFromGUID2.OLE32(?,?,00000028), ref: 008577DE
SysAllocString.OLEAUT32(?), ref: 008577EC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5e6022b88f583a5bbd227034c9dcf93372037f4e3ab081eb9242e2c9f401decc
Instruction ID: 00da59a25d48749c91da9d0ec5c0d2ba7b0756f3bd47a976ceb2f9fcedb0db9a
Opcode Fuzzy Hash: 5e6022b88f583a5bbd227034c9dcf93372037f4e3ab081eb9242e2c9f401decc
Instruction Fuzzy Hash: A6218E76604219AFDB10DFACEC88CBB77ACFB09764B048025FE15DB295D670EC858764

Function 008577FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00857842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00857868
SysAllocString.OLEAUT32(00000000), ref: 0085786B
SysAllocString.OLEAUT32 ref: 0085788C
SysFreeString.OLEAUT32 ref: 00857895
StringFromGUID2.OLE32(?,?,00000028), ref: 008578AF
SysAllocString.OLEAUT32(?), ref: 008578BD

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f69567b91e9995f36f988e33ce4c4d1b9c61266c8102a4e9fa3ac7ff5a836c18
Instruction ID: 819fb30c08b17f6c305ea4707c697d1ec85f5e8e5a1a33567c65c976f716a894
Opcode Fuzzy Hash: f69567b91e9995f36f988e33ce4c4d1b9c61266c8102a4e9fa3ac7ff5a836c18
Instruction Fuzzy Hash: DC218E31608218AFDB109BADEC8CDAA77ACFB08361710C135B915CB2A5D670EC85CB78

Function 008604D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 008604F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0086052E

Strings

nul, xrefs: 00860567

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ab40321cde6f910c88ee5060fdc901364f19cbf182c00a48ce76003790f0aca0
Instruction ID: d71e5e482619ad09be4a98f861b817b4ec6e83e0535f4c16fcfe222ba75094b1
Opcode Fuzzy Hash: ab40321cde6f910c88ee5060fdc901364f19cbf182c00a48ce76003790f0aca0
Instruction Fuzzy Hash: D0216B75500305ABDB209F69DC48A9B7BA4FF44724F214A19F9A2E62E0E7709950CF24

Function 008605A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 008605C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00860601

Strings

nul, xrefs: 00860639

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: ea7a74475dbb30df660b99c7e33fc73a1202bd9faf5e7f5931b324382205607e
Instruction ID: b5c5b0bc98642f4259fe4faf29c1bac8b9182f5f0ef45529ecea0e1e7b183d57
Opcode Fuzzy Hash: ea7a74475dbb30df660b99c7e33fc73a1202bd9faf5e7f5931b324382205607e
Instruction Fuzzy Hash: 0821A1755003059BDB209F68CC04E9B77E4FFA5724F210A19F9A1E72E0D7B09860CF28

Function 008840AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007F604C
Part of subcall function 007F600E: GetStockObject.GDI32(00000011), ref: 007F6060
Part of subcall function 007F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007F606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00884112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0088411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0088412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00884139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00884145

Strings

Msctls_Progress32, xrefs: 008840E3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: ea03c782e34e56ae93755da7ef0152be1143d0443ced775090cb34583c4f5759
Instruction ID: d58e07891c5f37fbfe086ec2d85ed7105b3e3cc1392c0d056bad04fe573039e6
Opcode Fuzzy Hash: ea03c782e34e56ae93755da7ef0152be1143d0443ced775090cb34583c4f5759
Instruction Fuzzy Hash: 741190B615021EBEEF119F64CC85EE77F6DFF08798F014120BA18E2190CA769C219BA4

Function 0082D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0082D7A3: _free.LIBCMT ref: 0082D7CC

_free.LIBCMT ref: 0082D82D

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 0082D838
_free.LIBCMT ref: 0082D843
_free.LIBCMT ref: 0082D897
_free.LIBCMT ref: 0082D8A2
_free.LIBCMT ref: 0082D8AD
_free.LIBCMT ref: 0082D8B8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: 9f48927c75fb616b72049c5a135209915f72af2ce1187e46dcc4b828ad69d07c
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 15113A71540B24BAD621BFB4EC47FCB7FDCFF04700F800825B699E6092DA69B5858662

Function 0085DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0085DA74
LoadStringW.USER32(00000000), ref: 0085DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0085DA91
LoadStringW.USER32(00000000), ref: 0085DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0085DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0085DAB9

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: cabde04311fc3c2475a8dd3542dd9473443053fc709b1d289a9ce2ab73c412bd
Instruction ID: c9e6c3dfc5237a99b95ac5eee7a79525082796d3bb566736342f011b0865118b
Opcode Fuzzy Hash: cabde04311fc3c2475a8dd3542dd9473443053fc709b1d289a9ce2ab73c412bd
Instruction Fuzzy Hash: 720162F65002187FE711EBE89D89EEB376CF708301F4004A6BB46E2045E6749E844F75

Function 0086096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(0148EA40,0148EA40), ref: 0086097B
EnterCriticalSection.KERNEL32(0148EA20,00000000), ref: 0086098D
TerminateThread.KERNEL32(?,000001F6), ref: 0086099B
WaitForSingleObject.KERNEL32(?,000003E8), ref: 008609A9
CloseHandle.KERNEL32(?), ref: 008609B8
InterlockedExchange.KERNEL32(0148EA40,000001F6), ref: 008609C8
LeaveCriticalSection.KERNEL32(0148EA20), ref: 008609CF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 6f718e43e1cca257e3509099391f3134307707a504222bd50addca96d5255c22
Instruction ID: ea2ab74430c21f2335f4b1f648dbb16d8593722d85602144464245a2a3ad6ca7
Opcode Fuzzy Hash: 6f718e43e1cca257e3509099391f3134307707a504222bd50addca96d5255c22
Instruction Fuzzy Hash: A2F0EC32442A12BBD7515FA8EE8DBD6BB3AFF05712F402025F202908E5CB75A465CFA4

Function 00871C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00871DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00871DE1
WSAGetLastError.WSOCK32 ref: 00871DF2
htons.WSOCK32(?,?,?,?,?), ref: 00871EDB
inet_ntoa.WSOCK32(?), ref: 00871E8C

Part of subcall function 008539E8: _strlen.LIBCMT ref: 008539F2

Part of subcall function 00873224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0086EC0C), ref: 00873240

_strlen.LIBCMT ref: 00871F35

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 9b64578de34bb8d5fbc2ad9b6a5968901609c9d4df9c4f1c21fecdcf1d22f72c
Instruction ID: f1f7398e1f7709650794355b8c47c80c6a38f11fa95a70a56635617141322d21
Opcode Fuzzy Hash: 9b64578de34bb8d5fbc2ad9b6a5968901609c9d4df9c4f1c21fecdcf1d22f72c
Instruction Fuzzy Hash: C6B1AD31204300AFC724DF28C899E2ABBA5FF84318F54855CF55A9B6E2DB31ED45CB92

Function 007F5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 007F5D30
GetWindowRect.USER32(?,?), ref: 007F5D71
ScreenToClient.USER32(?,?), ref: 007F5D99
GetClientRect.USER32(?,?), ref: 007F5ED7
GetWindowRect.USER32(?,?), ref: 007F5EF8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ff466d6679ddec876552009f4d3a0bf8f8302de72f5139833b7d082c89ef44e9
Instruction ID: 5b5859fe6ab231f612cc92fed9d0bea39e666ab106add641535f51f07495b9f6
Opcode Fuzzy Hash: ff466d6679ddec876552009f4d3a0bf8f8302de72f5139833b7d082c89ef44e9
Instruction Fuzzy Hash: D0B16934A00A4ADBDB14CFA9C4807FEBBF1FF58310F14951AE9A9D7250DB34AA51DB90

Function 008201B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008200BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008200D6
__allrem.LIBCMT ref: 008200ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0082010B
__allrem.LIBCMT ref: 00820122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00820140

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: d95e6bcaf82ef00537da858b0c275a3ec4c2a68122cfbffb4d04a15bf8150d85
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 8681F971A00B16ABE7209F6CDC41BAA73E9FF41764F244139F651D7282EBB0D9818B91

Function 008261FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008182D9,008182D9,?,?,?,0082644F,00000001,00000001,8BE85006), ref: 00826258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0082644F,00000001,00000001,8BE85006,?,?,?), ref: 008262DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008263D8
__freea.LIBCMT ref: 008263E5

Part of subcall function 00823820: RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

__freea.LIBCMT ref: 008263EE
__freea.LIBCMT ref: 00826413

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7977655c5fff468af8b1c6a59ebd00a5c554b4f835930308910f829fd2d97fdf
Instruction ID: 197122bc33300785ba5230cc9c7ce8b2a19635de1b155e05c29dd82b4af5ba9e
Opcode Fuzzy Hash: 7977655c5fff468af8b1c6a59ebd00a5c554b4f835930308910f829fd2d97fdf
Instruction Fuzzy Hash: C851D472A00226AFDB259F64EC85EAF77A9FF44750F154669FC05D6280EB34DCE0C6A0

Function 0087BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 0087C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0087B6AE,?,?), ref: 0087C9B5
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087C9F1
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA68
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0087BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0087BD25
RegCloseKey.ADVAPI32(00000000), ref: 0087BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0087BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0087BDF3
RegCloseKey.ADVAPI32(?), ref: 0087BDFF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 982ac957a60e2468bf40cd92fb02c87a732eceffacc2d0d678e0de845a0c1c89
Instruction ID: fddf870a74ff42fd8d92de463242b83e0c112aa300afa6bdad53a9bd24a029cc
Opcode Fuzzy Hash: 982ac957a60e2468bf40cd92fb02c87a732eceffacc2d0d678e0de845a0c1c89
Instruction Fuzzy Hash: D3818A71208245EFD714DF24C885E2ABBE6FF84348F14896CF5598B2A2DB31ED45CB92

Function 0084F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0084F7B9
SysAllocString.OLEAUT32(00000001), ref: 0084F860
VariantCopy.OLEAUT32(0084FA64,00000000), ref: 0084F889
VariantClear.OLEAUT32(0084FA64), ref: 0084F8AD
VariantCopy.OLEAUT32(0084FA64,00000000), ref: 0084F8B1
VariantClear.OLEAUT32(?), ref: 0084F8BB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 74eb93f527cd202f659caf569289cfb30af3d910eabb74578bda0e2cc381913c
Instruction ID: 8f5944c1d718e67f5dd64a1e514e960f9c811a3459b88cbaa2c61d2ce4914a19
Opcode Fuzzy Hash: 74eb93f527cd202f659caf569289cfb30af3d910eabb74578bda0e2cc381913c
Instruction Fuzzy Hash: 2351B531A00318EACF24AB69D895B29BBA4FF45314F24946FEA05DF297DB748C40C767

Function 0086910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 007F7620: _wcslen.LIBCMT ref: 007F7625

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 008694E5
_wcslen.LIBCMT ref: 00869506
_wcslen.LIBCMT ref: 0086952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00869585

Strings

X, xrefs: 00869412

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: cf44b2cf2659576f99359e8e801bda90fd1a81d3ed91867f07c86c5197d6c005
Instruction ID: 8cecd461b8b1d1b300de8b0ddf6b892acb212ff6e2a62857a65c94151f3be13d
Opcode Fuzzy Hash: cf44b2cf2659576f99359e8e801bda90fd1a81d3ed91867f07c86c5197d6c005
Instruction Fuzzy Hash: A9E19D31608304DFC724EF24C885A6AB7E5FF85314F05896DEA999B3A2DB34DD05CB92

Function 0080920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

BeginPaint.USER32(?,?,?), ref: 00809241
GetWindowRect.USER32(?,?), ref: 008092A5
ScreenToClient.USER32(?,?), ref: 008092C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008092D3
EndPaint.USER32(?,?,?,?,?), ref: 00809321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 008471EA

Part of subcall function 00809339: BeginPath.GDI32(00000000), ref: 00809357

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 781c6063d588c44d3dc79aafadb8ac825b71718b9cc6a3e31048c5ced085faae
Instruction ID: 1b82772416868b0276ce4521784e29cb7459373fed22c6f4d8e5c73e19b49d1f
Opcode Fuzzy Hash: 781c6063d588c44d3dc79aafadb8ac825b71718b9cc6a3e31048c5ced085faae
Instruction Fuzzy Hash: 30418E70104205AFDB21DF28CCC9FAA7BB8FB56324F140269F9A4C72E2D7319845DB62

Function 008607EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0086080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00860847
EnterCriticalSection.KERNEL32(?), ref: 00860863
LeaveCriticalSection.KERNEL32(?), ref: 008608DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 008608F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00860921

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 671db1ba2e410b7da3610963e27a088cf11cdcdcf286353ea35ab2c0a96502ef
Instruction ID: eb661ceef8dd3574c1102050693d7cede6b4248c287fe91b287466764ec8c25b
Opcode Fuzzy Hash: 671db1ba2e410b7da3610963e27a088cf11cdcdcf286353ea35ab2c0a96502ef
Instruction Fuzzy Hash: 1F415871900205ABDF14EF58DC85AAA77B9FF44310F1480A9E904DE29BD730EE64DFA5

Function 008881DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0084F3AB,00000000,?,?,00000000,?,0084682C,00000004,00000000,00000000), ref: 0088824C
EnableWindow.USER32(?,00000000), ref: 00888272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 008882D1
ShowWindow.USER32(?,00000004), ref: 008882E5
EnableWindow.USER32(?,00000001), ref: 0088830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0088832F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: a345520c5694b483257cd374c269320cd707a1799cce0582e0622cef0637733e
Instruction ID: d6f72de225b4fbea9063a9cde90e85f09e45d3bc51f931ef933632e7f578d181
Opcode Fuzzy Hash: a345520c5694b483257cd374c269320cd707a1799cce0582e0622cef0637733e
Instruction Fuzzy Hash: 41417334601644EFDF26EF29D899FA47BF1FB0A714F984169E509CB262CB31A845CB50

Function 00854C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00854C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00854CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00854CEA
_wcslen.LIBCMT ref: 00854D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00854D10
_wcsstr.LIBVCRUNTIME ref: 00854D1A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 901a5a13e51307b33d1876fbd790ad472d70a9eab92daa0e66ded025dc792709
Instruction ID: b1c0fee295f0a5459d157bcbb1e333da0138e7e50245fb61ae370cfa52023a76
Opcode Fuzzy Hash: 901a5a13e51307b33d1876fbd790ad472d70a9eab92daa0e66ded025dc792709
Instruction Fuzzy Hash: D1210432204204BBEB659B29EC09E7B7BACFF45754F10903DFC05CA192EA71DC8483A1

Function 0086581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 007F3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007F3A97,?,?,007F2E7F,?,?,?,00000000), ref: 007F3AC2

_wcslen.LIBCMT ref: 0086587B
CoInitialize.OLE32(00000000), ref: 00865995
CoCreateInstance.OLE32(0088FCF8,00000000,00000001,0088FB68,?), ref: 008659AE
CoUninitialize.OLE32 ref: 008659CC

Strings

.lnk, xrefs: 00865876, 008658C1, 00865985

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 871973c61562a4c48fe8dfa17ee619c067e3ca7c89b9d0c8a75b10031c400600
Instruction ID: d4fbb31d0abcea0032198b9e36ac2ec248b100eee9552bbe7a3265b5f8844545
Opcode Fuzzy Hash: 871973c61562a4c48fe8dfa17ee619c067e3ca7c89b9d0c8a75b10031c400600
Instruction Fuzzy Hash: 34D17070608605DFC714DF28C484A2ABBE2FF89724F158859F98ADB361DB35EC45CB92

Function 0085175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00850FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00850FCA
Part of subcall function 00850FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00850FD6
Part of subcall function 00850FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00850FE5
Part of subcall function 00850FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00850FEC
Part of subcall function 00850FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00851002

GetLengthSid.ADVAPI32(?,00000000,00851335), ref: 008517AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 008517BA
HeapAlloc.KERNEL32(00000000), ref: 008517C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 008517DA
GetProcessHeap.KERNEL32(00000000,00000000,00851335), ref: 008517EE
HeapFree.KERNEL32(00000000), ref: 008517F5

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 5f4c9aea2661529c704f19a309fbf888b4a9eab0d73a72cf9b55556ce13e0669
Instruction ID: 5e79c5080b8cf0a194569258b9299b281169b5e0c262c322d5f9362c1dd8d527
Opcode Fuzzy Hash: 5f4c9aea2661529c704f19a309fbf888b4a9eab0d73a72cf9b55556ce13e0669
Instruction Fuzzy Hash: 5D118E35510605FFDF109FA8DC8DBAE7BA9FB4935AF104118F841E7218D735A948CB60

Function 008514CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008514FF
OpenProcessToken.ADVAPI32(00000000), ref: 00851506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00851515
CloseHandle.KERNEL32(00000004), ref: 00851520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0085154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00851563

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: b7e2e6502dc89aa6bbad550e9a0783f7f2e1742328cfdbdd18f171aedf84265c
Instruction ID: 802b0cff52dc422efa3693d4538874b3bb892d6a93b25d6c6afc90f7559462e5
Opcode Fuzzy Hash: b7e2e6502dc89aa6bbad550e9a0783f7f2e1742328cfdbdd18f171aedf84265c
Instruction Fuzzy Hash: FC11867210020DABDF118FA8ED09FDE7BAAFF48749F044024FE05A2060D3759E64EB60

Function 00813382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00813379,00812FE5), ref: 00813390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0081339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008133B7
SetLastError.KERNEL32(00000000,?,00813379,00812FE5), ref: 00813409

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d773a46ab9d1e8d0b55c509436f51d2a8d27776e0f2e9c4b0201a5b2fe1cd99a
Instruction ID: 2a2e818235c7c18fa0244f81ea080ac3bcaee672524f4d5407e931dd0e8bda89
Opcode Fuzzy Hash: d773a46ab9d1e8d0b55c509436f51d2a8d27776e0f2e9c4b0201a5b2fe1cd99a
Instruction Fuzzy Hash: 69017132609711BEAA253B787C859EB2B9CFF25779720032AF520C52F1EF114D826659

Function 00822D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00825686,00833CD6,?,00000000,?,00825B6A,?,?,?,?,?,0081E6D1,?,008B8A48), ref: 00822D78
_free.LIBCMT ref: 00822DAB
_free.LIBCMT ref: 00822DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0081E6D1,?,008B8A48,00000010,007F4F4A,?,?,00000000,00833CD6), ref: 00822DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0081E6D1,?,008B8A48,00000010,007F4F4A,?,?,00000000,00833CD6), ref: 00822DEC
_abort.LIBCMT ref: 00822DF2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2e5139c8ad15931520b47e0ae488334328749c2a7c84beade5ab441b4e0e6304
Instruction ID: b55103b2405ddd73a8832642755f6b2b09a0bb2cb279b7f6b1f7cff6ab9983c3
Opcode Fuzzy Hash: 2e5139c8ad15931520b47e0ae488334328749c2a7c84beade5ab441b4e0e6304
Instruction Fuzzy Hash: 3EF0C83650463477C212373CBC16F5B2659FFC17A5F240528F824D22D6EF3488C24272

Function 00888A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00809639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00809693
Part of subcall function 00809639: SelectObject.GDI32(?,00000000), ref: 008096A2
Part of subcall function 00809639: BeginPath.GDI32(?), ref: 008096B9
Part of subcall function 00809639: SelectObject.GDI32(?,00000000), ref: 008096E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00888A4E
LineTo.GDI32(?,00000003,00000000), ref: 00888A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00888A70
LineTo.GDI32(?,00000000,00000003), ref: 00888A80
EndPath.GDI32(?), ref: 00888A90
StrokePath.GDI32(?), ref: 00888AA0

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 5480a1123d28ead354c31e2d96adbdbc194da0d757b391b4c52a7df0517cd376
Instruction ID: e82f67c399d9654ed1185ed196f59c252ca3b5293d31ae30018b63aeb13a02af
Opcode Fuzzy Hash: 5480a1123d28ead354c31e2d96adbdbc194da0d757b391b4c52a7df0517cd376
Instruction Fuzzy Hash: DA11C976040119FFDF129F94DC88EAA7F6DFB08394F048012FA199A1A1C7719D55DBA1

Function 008551FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00855218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00855229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00855230
ReleaseDC.USER32(00000000,00000000), ref: 00855238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0085524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00855261

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 4aef3b24da07de9b04dd221b349c15fddff9eb8015cbeae845c2a3b2837b5dd7
Instruction ID: fee98e29b7a3d9905f2f5575e70424418dd8a7f7316004b62f1eac3ae8faf88c
Opcode Fuzzy Hash: 4aef3b24da07de9b04dd221b349c15fddff9eb8015cbeae845c2a3b2837b5dd7
Instruction Fuzzy Hash: AC014F75A00719BBEB109BBA9C49A5EBFB8FF48752F044065FA04E7285DA709804CFA0

Function 007F1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 007F1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 007F1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 007F1C22

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 245b1aeee33fc4f60b8d33c106fa4c4f3dd30f9ba98c3a3db114bb9616ecab61
Instruction ID: b289cd0cba8de4c589b0cd5569a3c0a3bdef6943d576ae0eabbeb860436dce67
Opcode Fuzzy Hash: 245b1aeee33fc4f60b8d33c106fa4c4f3dd30f9ba98c3a3db114bb9616ecab61
Instruction Fuzzy Hash: E9016CB09027597DE3008F5A8C85B52FFA8FF19354F00411B915C47941C7F5AC64CBE5

Function 0085EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0085EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0085EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0085EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0085EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0085EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0085EB75

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: c033f447d876e791541468ae8c443657797154a9df6ba07ab30c436c17d49ff0
Instruction ID: 411609e712d38b965f43c7915d737aec398e60758ccb267b2d2c426a848b00c2
Opcode Fuzzy Hash: c033f447d876e791541468ae8c443657797154a9df6ba07ab30c436c17d49ff0
Instruction Fuzzy Hash: 8EF09A72200118BBE7209B669C4EEEF3A7CFFCAB11F000168FA01E1091E7B02A01C7B5

Function 00847439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00847452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00847469
GetWindowDC.USER32(?), ref: 00847475
GetPixel.GDI32(00000000,?,?), ref: 00847484
ReleaseDC.USER32(?,00000000), ref: 00847496
GetSysColor.USER32(00000005), ref: 008474B0

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 0ca912e7e21b804e9fe008a76f63b5524415172d99c7d54d3dd9b6a0b67d7ea4
Instruction ID: 88b5e84873dbbc83aa13051a236bd363f47dfd1b29b73b0f5a48f2e2b1372746
Opcode Fuzzy Hash: 0ca912e7e21b804e9fe008a76f63b5524415172d99c7d54d3dd9b6a0b67d7ea4
Instruction Fuzzy Hash: 87016931400219EFEB519FB8EC08BBA7BB6FF14321F614164FA16E21A1CB311E51EB60

Function 00851874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0085187F
UnloadUserProfile.USERENV(?,?), ref: 0085188B
CloseHandle.KERNEL32(?), ref: 00851894
CloseHandle.KERNEL32(?), ref: 0085189C
GetProcessHeap.KERNEL32(00000000,?), ref: 008518A5
HeapFree.KERNEL32(00000000), ref: 008518AC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a252c2be7a9b72f9655bad24d38d782e010ad7ca86f039a68c1668be5042768a
Instruction ID: 7a45c71c9e9ee0ab0d4eec9cf38676ff9d04e95c38c6d501a3e25a926c193a98
Opcode Fuzzy Hash: a252c2be7a9b72f9655bad24d38d782e010ad7ca86f039a68c1668be5042768a
Instruction Fuzzy Hash: 4AE0E53A004101BBDB016FA9ED0CD0AFF39FF49B22B108220F22581578CB32A421EF60

Function 0085C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F7620: _wcslen.LIBCMT ref: 007F7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0085C6EE
_wcslen.LIBCMT ref: 0085C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0085C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0085C7CA

Strings

0, xrefs: 0085C6AF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: fabc91f3b129cf31cdfa0fb53d8fc830bd54334fac6e309959db00020de2b1a2
Instruction ID: 125ba4a12931fbcd74dd027aef92a9c71a7a270c4801ccc5f7bb25db566aa507
Opcode Fuzzy Hash: fabc91f3b129cf31cdfa0fb53d8fc830bd54334fac6e309959db00020de2b1a2
Instruction Fuzzy Hash: 9C51CC716043019FD7509E2CC889A6AB7E8FF49316F040A2DFE95D26A1DB74D9088F92

Function 0087AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0087AEA3

Part of subcall function 007F7620: _wcslen.LIBCMT ref: 007F7625

GetProcessId.KERNEL32(00000000), ref: 0087AF38
CloseHandle.KERNEL32(00000000), ref: 0087AF67

Strings

@, xrefs: 0087AE72
<, xrefs: 0087AE6B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 0f9347363bed3a35e4e3764a05c56460927628a355d90542dcb1b81428fe09fb
Instruction ID: 2b45c7b7efe22587e0f726a25cafe244c90ee61b99c504258de12589bdcd1e50
Opcode Fuzzy Hash: 0f9347363bed3a35e4e3764a05c56460927628a355d90542dcb1b81428fe09fb
Instruction Fuzzy Hash: 64716B75A00619DFCB18DF54C484AAEBBF4FF48314F048499E91AAB3A2CB74ED45CB91

Function 0085719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00857206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0085723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0085724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008572CF

Strings

DllGetClassObject, xrefs: 00857242

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 48455336db8bb98eda2b270b5a97f51bbfffe5c343de1338578855921fd03357
Instruction ID: 2ce2ea6fe848813fa3b8e4f46de512335ab3dec21b8d589393b2f097d59d59bd
Opcode Fuzzy Hash: 48455336db8bb98eda2b270b5a97f51bbfffe5c343de1338578855921fd03357
Instruction Fuzzy Hash: 0D416DB1A04204EFDB15CF54D884A9A7BA9FF44315F24C0A9BD0ADF20AD7B5D949CBA0

Function 00883D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00883E35
IsMenu.USER32(?), ref: 00883E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00883E92
DrawMenuBar.USER32 ref: 00883EA5

Strings

0, xrefs: 00883D89

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 8357c522b429f49c677344482bad0bd4638a05dbb2169c612f61960feb81bc41
Instruction ID: 7362d34af0dfa0d5965c0e42ae174d9e4b5b1e97e7235fd557204f447d3ddbf9
Opcode Fuzzy Hash: 8357c522b429f49c677344482bad0bd4638a05dbb2169c612f61960feb81bc41
Instruction Fuzzy Hash: 6B4144B5A01209AFDF10EF64D884EAABBB9FF49754F044129E905EB750D730AE44CF60

Function 00851DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00851E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00851E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00851EA9

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

Strings

ListBox, xrefs: 00851E25
ComboBox, xrefs: 00851DF0

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 3fbf2c98ae4b50daccc365e3a86d5aa51bc509e8e9d9b777b24784b9860bd01c
Instruction ID: 88dd6d9f2d75d6330cde9adb34ebefc603d6ecd0c158edf365c7b558eae4d323
Opcode Fuzzy Hash: 3fbf2c98ae4b50daccc365e3a86d5aa51bc509e8e9d9b777b24784b9860bd01c
Instruction Fuzzy Hash: A421D671A00108AADF14AB68DC4AEFFB7B9FF55354B144129FD25E72E1DB384D0D8620

Function 00882F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00882F8D
LoadLibraryW.KERNEL32(?), ref: 00882F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00882FA9
DestroyWindow.USER32(?), ref: 00882FB1

Strings

SysAnimate32, xrefs: 00882F68

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9229ae0e1b34a759bd990cd48887b561cd0e04112f9829c415eb8190b577bea8
Instruction ID: 6b513e67fc8a8ad6119203bac3abb60eebe057547694a95819b7637fb50b9b22
Opcode Fuzzy Hash: 9229ae0e1b34a759bd990cd48887b561cd0e04112f9829c415eb8190b577bea8
Instruction Fuzzy Hash: 42218C71204209ABEB20AF68DC84EBB77B9FF59364F104628FA50D6190DB71DC51D760

Function 00814D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00814D1E,008228E9,?,00814CBE,008228E9,008B88B8,0000000C,00814E15,008228E9,00000002), ref: 00814D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00814DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00814D1E,008228E9,?,00814CBE,008228E9,008B88B8,0000000C,00814E15,008228E9,00000002,00000000), ref: 00814DC3

Strings

CorExitProcess, xrefs: 00814D98
mscoree.dll, xrefs: 00814D86

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: ef7897572ef184138e7125a8f1c63f3cbd95eb27bfa698c8693f9d1a71ccb3da
Instruction ID: 1876091d52878e26adc127b45492b8d5ecdade709616085f60894361e46ab12e
Opcode Fuzzy Hash: ef7897572ef184138e7125a8f1c63f3cbd95eb27bfa698c8693f9d1a71ccb3da
Instruction Fuzzy Hash: E6F08C34A40208BBDB109B94EC49BEEBBA8FF04752F0400A8B805E2260CB315D84CBA1

Function 007F4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,007F4EDD,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007F4EAE
FreeLibrary.KERNEL32(00000000,?,?,007F4EDD,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4EC0

Strings

kernel32.dll, xrefs: 007F4E94
Wow64DisableWow64FsRedirection, xrefs: 007F4EA8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 5d75f050eb42f5a95bfe5c01b742d4ff0b94dfe01f0add2b8887bb287c21996a
Instruction ID: cea1f61da0bd44c9a8cbd95bb4a3297714c2781c525bb5074ce6c56076e77078
Opcode Fuzzy Hash: 5d75f050eb42f5a95bfe5c01b742d4ff0b94dfe01f0add2b8887bb287c21996a
Instruction Fuzzy Hash: EFE08C3AA02A226B93321B29BC5CB6B7658BF81F62B050115FE00E2308DB78CD0582B0

Function 007F4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00833CDE,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007F4E74
FreeLibrary.KERNEL32(00000000,?,?,00833CDE,?,008C1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 007F4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 007F4E6E
kernel32.dll, xrefs: 007F4E5B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 3e678b663e2411972928c172d75f3559ba080d463dc98c96d73048a3e96741c6
Instruction ID: 20a28386210cca090e5a95c23ecae3ab2451654be8a902b379b6d61c03525df4
Opcode Fuzzy Hash: 3e678b663e2411972928c172d75f3559ba080d463dc98c96d73048a3e96741c6
Instruction Fuzzy Hash: B2D01239502A615757321B297C1CE9B7A18FF85F613450615BA05E2318CF78CD0587F0

Function 00862947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00862C05
DeleteFileW.KERNEL32(?), ref: 00862C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00862C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00862CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00862CC0

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 3bcbc0da69049cd2b778ebe0e2fdf34b0d1b0f602d06bdc1362446d43d69e2f6
Instruction ID: fb89d4159532e327aff58b7587fc693f4e02f03758ae1aee17a66f453754e12e
Opcode Fuzzy Hash: 3bcbc0da69049cd2b778ebe0e2fdf34b0d1b0f602d06bdc1362446d43d69e2f6
Instruction Fuzzy Hash: 44B12D7290051DABDF21DBA8CC85EEEB7BDFF49350F1040A6F609E6251EA349A448F61

Function 0087A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0087A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0087A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0087A468
CloseHandle.KERNEL32(?), ref: 0087A63D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: ebb7257b33ae75219c134d3256a81eb352fdbf0fa527cd015620ce941eca620d
Instruction ID: c5d0de90899de946d76d5d7adb935dbb8108fd080ddf66d11ecf6c5ebf87d230
Opcode Fuzzy Hash: ebb7257b33ae75219c134d3256a81eb352fdbf0fa527cd015620ce941eca620d
Instruction Fuzzy Hash: 20A18B716043019FD724DF28C886B2AB7E5FB84714F14881DFA5ADB392D7B4EC418B92

Function 0082BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00893700), ref: 0082BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,008C121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0082BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,008C1270,000000FF,?,0000003F,00000000,?), ref: 0082BC36
_free.LIBCMT ref: 0082BB7F

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 0082BD4B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: afc766fbd2f92160b27ce96db93bb6620eb22f8384d8c08c3ab7cae96aa2f284
Instruction ID: 39dafa842d9dba29d9975e3e713221a38233c0bf3bfc72dd9fb72f198b31c078
Opcode Fuzzy Hash: afc766fbd2f92160b27ce96db93bb6620eb22f8384d8c08c3ab7cae96aa2f284
Instruction Fuzzy Hash: D351DB75901229EFCB10EF69EC85DAEB7BCFF45320B10426AE554D7292EB309DC18B51

Function 0085E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0085DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0085CF22,?), ref: 0085DDFD

Part of subcall function 0085DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0085CF22,?), ref: 0085DE16

Part of subcall function 0085E199: GetFileAttributesW.KERNEL32(?,0085CF95), ref: 0085E19A

lstrcmpiW.KERNEL32(?,?), ref: 0085E473
MoveFileW.KERNEL32(?,?), ref: 0085E4AC
_wcslen.LIBCMT ref: 0085E5EB
_wcslen.LIBCMT ref: 0085E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0085E650

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: e1c87645213ec0bbf251981a96ce12d38e2f98d0a35de8ac7aed4aaa98cac30f
Instruction ID: 69aeabee76e0534901d38b959247679da9e8da988069c7d6d6bbe7b5ea205e68
Opcode Fuzzy Hash: e1c87645213ec0bbf251981a96ce12d38e2f98d0a35de8ac7aed4aaa98cac30f
Instruction Fuzzy Hash: 40514FB24087459BC728DBA4DC819DBB3ECFF85341F00491EEA89D3151EF74A68C876A

Function 0087B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 0087C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0087B6AE,?,?), ref: 0087C9B5
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087C9F1
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA68
Part of subcall function 0087C998: _wcslen.LIBCMT ref: 0087CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0087BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0087BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0087BB63
RegCloseKey.ADVAPI32(?,?), ref: 0087BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0087BBB3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: ded4a65f4a801e860e5ff6de60e6c9b243b7d3685085dbac9aca43d9cc19d3c9
Instruction ID: 73a9f4e0b1825b0cc6498a7810d165646f1e7839bdbe651e251d26f4da320ba8
Opcode Fuzzy Hash: ded4a65f4a801e860e5ff6de60e6c9b243b7d3685085dbac9aca43d9cc19d3c9
Instruction Fuzzy Hash: AA616631208245EFC314DF24C494E2ABBE6FF84358F14896CE5998B2A6DB31ED45CB92

Function 00858BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00858BCD
VariantClear.OLEAUT32 ref: 00858C3E
VariantClear.OLEAUT32 ref: 00858C9D
VariantClear.OLEAUT32(?), ref: 00858D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00858D3B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 36becd23abc2039928035aca82cd6ec43f74b70e43666294039b763284d1bd4d
Instruction ID: 090448bed703e099c7b853b42405f3ba864502da3a553aaa8069a86b76e238d9
Opcode Fuzzy Hash: 36becd23abc2039928035aca82cd6ec43f74b70e43666294039b763284d1bd4d
Instruction Fuzzy Hash: 5A516BB5A00219EFCB10CF58C884AAAB7F8FF89314B15855AED05EB354E730E911CFA0

Function 00868AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00868BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00868BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00868C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00868C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00868C5F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f04db4c186f715404d06ca3382b3f5957886dd50ec28c70869011eba0f5fe769
Instruction ID: 373620d8b2768e396cce26e3fb73919db95e070929251c5860d6a1d26e19c70c
Opcode Fuzzy Hash: f04db4c186f715404d06ca3382b3f5957886dd50ec28c70869011eba0f5fe769
Instruction Fuzzy Hash: FA515A35A00219DFCB15DF64C884E69BBF5FF48314F088058E949AB3A2CB35ED55CBA0

Function 00878EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00878F40
GetProcAddress.KERNEL32(00000000,?), ref: 00878FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00878FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00879032
FreeLibrary.KERNEL32(00000000), ref: 00879052

Part of subcall function 0080F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00861043,?,7556E610), ref: 0080F6E6
Part of subcall function 0080F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0084FA64,00000000,00000000,?,?,00861043,?,7556E610,?,0084FA64), ref: 0080F70D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: d39edcba57f496d4e3a7bfc84ac256fc0f9b05ba6aa3529b5228493ebd9a6f63
Instruction ID: b41ea67bd188431ced0a3066a7c1e018d0c74eedb7e958c5dc2552fec4d25810
Opcode Fuzzy Hash: d39edcba57f496d4e3a7bfc84ac256fc0f9b05ba6aa3529b5228493ebd9a6f63
Instruction Fuzzy Hash: 46512734600609DFCB15DF58C4989A9BBF1FF49324B08C0A9E94A9B366DB35ED85CB90

Function 00886B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00886C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00886C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00886C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0086AB79,00000000,00000000), ref: 00886C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00886CC7

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: dd06e71a4a46def103002f735dc9a3e601faa0f2deebee0476db7cd1ff226acd
Instruction ID: 075e75d41a39029d80f94c78dd61fec0d2793fe69cc661764ad572e84dcd534b
Opcode Fuzzy Hash: dd06e71a4a46def103002f735dc9a3e601faa0f2deebee0476db7cd1ff226acd
Instruction Fuzzy Hash: D141B275A04104AFDB24EF28CD58FA97BA6FB09364F140228F895E73E0E371AD61DB50

Function 00822051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008220C3
_free.LIBCMT ref: 008220E3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6413acd803e20eeb20a60c376abb1e1c42615d71aa9535282ebd14596940ebd9
Instruction ID: 2c50b6416b18f565a51b1aa7e7efd6363e86556d18363c1ed0260b6b2d9ad699
Opcode Fuzzy Hash: 6413acd803e20eeb20a60c376abb1e1c42615d71aa9535282ebd14596940ebd9
Instruction Fuzzy Hash: 0041E272A00614AFCB20DF78D880A5EB7A5FF88314F1545A9EA15EB392DB31AD41CB81

Function 0080912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00809141
ScreenToClient.USER32(00000000,?), ref: 0080915E
GetAsyncKeyState.USER32(00000001), ref: 00809183
GetAsyncKeyState.USER32(00000002), ref: 0080919D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e6868a6b3be7ad6d0d311409b937233543c9472584849961cb8269a22daf8979
Instruction ID: 8d85305c969836cd9108667197d1a2426ca2aa67fa72276408594665057f8349
Opcode Fuzzy Hash: e6868a6b3be7ad6d0d311409b937233543c9472584849961cb8269a22daf8979
Instruction Fuzzy Hash: 23415B71A0860AFBDF159F68C848BEEB775FF05324F208229E469E62D1C7346D50CB91

Function 00863874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008638CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00863922
TranslateMessage.USER32(?), ref: 0086394B
DispatchMessageW.USER32(?), ref: 00863955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00863966

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: c66f8ee04de9d51341ab245d16c90eabee8c26468916d9047e202567db513406
Instruction ID: 1ddd2359726ef590be05ce6bc1235a036a75129fd138e1142454ea90faea1f26
Opcode Fuzzy Hash: c66f8ee04de9d51341ab245d16c90eabee8c26468916d9047e202567db513406
Instruction Fuzzy Hash: 2A3191709083869EEF35CB389849FB67FB8FB07304F050569E462C25A1E7B49A85CF21

Function 0086CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0086C21E,00000000), ref: 0086CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0086CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0086C21E,00000000), ref: 0086CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0086C21E,00000000), ref: 0086CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0086C21E,00000000), ref: 0086CFF2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: a07b4bfbb90db84dafa68fe2e49dd916a0a534d30df11b464a81770953752717
Instruction ID: 648d4fbaff06c3ac1576b3491b30b153357bdb754d528e0866307fc9e0b3d244
Opcode Fuzzy Hash: a07b4bfbb90db84dafa68fe2e49dd916a0a534d30df11b464a81770953752717
Instruction Fuzzy Hash: 54315C71600209EFDB20DFA9D884ABBBBFAFF14354B11842EF556D2141DB70AE41DBA0

Function 00851901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00851915
PostMessageW.USER32(00000001,00000201,00000001), ref: 008519C1
Sleep.KERNEL32(00000000,?,?,?), ref: 008519C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 008519DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 008519E2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 59b223fcb88461f54df31b66b7a87890949c4fa79550efdb1cf1be4ff9bbdccc
Instruction ID: c6f998a7ccd00bd462d97261ae2b414229e9ed529f8f264921cda50acb75e2df
Opcode Fuzzy Hash: 59b223fcb88461f54df31b66b7a87890949c4fa79550efdb1cf1be4ff9bbdccc
Instruction Fuzzy Hash: F6318A71A00219AFCB00CFA8C99DB9E7BB5FB44316F104229F921E72D1C7709948CBA0

Function 00885706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00885745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0088579D
_wcslen.LIBCMT ref: 008857AF
_wcslen.LIBCMT ref: 008857BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00885816

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 2a8788b212e8368cf244f8f0b872431ec12b88b73774b0a50a57bc564838682e
Instruction ID: b3a785b14152409c99f22c7d43b88115d7f475f0837ff1fb45850708a2831ffe
Opcode Fuzzy Hash: 2a8788b212e8368cf244f8f0b872431ec12b88b73774b0a50a57bc564838682e
Instruction Fuzzy Hash: 2721A5719046189ADF20AF64DC84AEEBBBCFF04324F108226E929EA194D7708985CF50

Function 0080990C Relevance: 7.6, APIs: 5, Instructions: 74COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008098CC
SetTextColor.GDI32(?,?), ref: 008098D6
SetBkMode.GDI32(?,00000001), ref: 008098E9
GetStockObject.GDI32(00000005), ref: 008098F1
GetWindowLongW.USER32(?,000000EB), ref: 00809952

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 13c0c17a84bf5c311b1daee85f0105beeb7efb04992e172e1f00cc8634895274
Instruction ID: e6ae8adee355912dcf40ba68af990aeef26ca1569d2975c7599b8a7fa79831e0
Opcode Fuzzy Hash: 13c0c17a84bf5c311b1daee85f0105beeb7efb04992e172e1f00cc8634895274
Instruction Fuzzy Hash: F921D3311492809FC7628F38EC98AA57FA0FF53331B18429EE5D2CA1E3D7365952CB60

Function 00870930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00870951
GetForegroundWindow.USER32 ref: 00870968
GetDC.USER32(00000000), ref: 008709A4
GetPixel.GDI32(00000000,?,00000003), ref: 008709B0
ReleaseDC.USER32(00000000,00000003), ref: 008709E8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 9f6951cf0cdc3495879827ccec3dc8c240983e61cb08ec412801bbe4359018ef
Instruction ID: 836b320f914d55a39ed5bbb898057be1692269c01143ffe3b21bba1a2e7504a4
Opcode Fuzzy Hash: 9f6951cf0cdc3495879827ccec3dc8c240983e61cb08ec412801bbe4359018ef
Instruction Fuzzy Hash: 61215E35A00204EFD704EF69D988AAEBBE5FF49700F048068E94AD7352DA34EC04CB60

Function 0082CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0082CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0082CDE9

Part of subcall function 00823820: RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0082CE0F
_free.LIBCMT ref: 0082CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0082CE31

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f5d4c2cc62d436cd883dfca8cfb882c8c198856a3404cd0162d3e4f6fa2436fa
Instruction ID: 5d1678546bf66570de3ee700675c9f7f99a99d10e8f11dcf7d2015e2e0ebf5d2
Opcode Fuzzy Hash: f5d4c2cc62d436cd883dfca8cfb882c8c198856a3404cd0162d3e4f6fa2436fa
Instruction Fuzzy Hash: 240188766016357F2321167ABC8CD7F796DFEC6BA1316012AFD05D7205DB718D4282B1

Function 00809639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00809693
SelectObject.GDI32(?,00000000), ref: 008096A2
BeginPath.GDI32(?), ref: 008096B9
SelectObject.GDI32(?,00000000), ref: 008096E2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 54bcce3370bcd564ac604ce37ca5e695d7955a456bd5d4b8231e618043c5ffa5
Instruction ID: 0f936d4263f0eb8b28b1f8d3ec843859ff40fca7eb02cf1119925aa92a4e4edc
Opcode Fuzzy Hash: 54bcce3370bcd564ac604ce37ca5e695d7955a456bd5d4b8231e618043c5ffa5
Instruction Fuzzy Hash: 18216070801205EBDF519F28EC88BA93FB4FB52755F500215F460D61E2D3719859CB90

Function 00855711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00855726
_memcmp.LIBVCRUNTIME ref: 00855744
_memcmp.LIBVCRUNTIME ref: 00855757
_memcmp.LIBVCRUNTIME ref: 0085576F
_memcmp.LIBVCRUNTIME ref: 00855787

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 227c7b83059ddeff9dc4358715444066e3347bf45512d3ae0451ac3d9f1aa29a
Instruction ID: 63fdbc724dd8c47ef787d49c3007c3c99fba16e6913e40e15c89c85a20528fbc
Opcode Fuzzy Hash: 227c7b83059ddeff9dc4358715444066e3347bf45512d3ae0451ac3d9f1aa29a
Instruction Fuzzy Hash: FA01F5A124160DBBD60861159D92FFB735DFF243AAF104020FE14DA342F724EE5483A1

Function 00822DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0081F2DE,00823863,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6), ref: 00822DFD
_free.LIBCMT ref: 00822E32
_free.LIBCMT ref: 00822E59
SetLastError.KERNEL32(00000000,007F1129), ref: 00822E66
SetLastError.KERNEL32(00000000,007F1129), ref: 00822E6F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 4f28dd92511d3eaebc28ae5701d16cdbe868d48dae5ad2e6eb50a101ca8ecbd0
Instruction ID: c6bdc896f660d0ce968ae390dabd3bd75cf91fdd9e6c7ed38a07ef271a94c39c
Opcode Fuzzy Hash: 4f28dd92511d3eaebc28ae5701d16cdbe868d48dae5ad2e6eb50a101ca8ecbd0
Instruction Fuzzy Hash: FA01F93A20562077C612673C7C46D3B265DFBD53B57620128F821E22D3EB74CCC16231

Function 0085000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?,?,0085035E), ref: 0085002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?), ref: 00850064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0084FF41,80070057,?,?), ref: 00850070

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: e765af1d0fdcc7220d664b9cf14b7871020882f403486284c505337d7ed6f0a6
Instruction ID: 6f8ccab682a89509e4e81cd641139063e68a113623d1fa18cb69b5e4d84bd7bb
Opcode Fuzzy Hash: e765af1d0fdcc7220d664b9cf14b7871020882f403486284c505337d7ed6f0a6
Instruction Fuzzy Hash: 8701AD72640605BFDB108F68DC04BAA7AEDFF48792F144124FD05D2254E771DD488BA0

Function 0085E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0085E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0085E9A5
Sleep.KERNEL32(00000000), ref: 0085E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0085E9B7
Sleep.KERNEL32 ref: 0085E9F3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 6dd8f4947d6fca9b1425aa549ba5e8c34127324d77f8dc4765c693f8be6f1d28
Instruction ID: 846459742f2ca46909d5cd649162310677724ea927921f71877cabbf9267db12
Opcode Fuzzy Hash: 6dd8f4947d6fca9b1425aa549ba5e8c34127324d77f8dc4765c693f8be6f1d28
Instruction Fuzzy Hash: 61015735C0162EDBCF04ABE8DC99AEDBF78FB09302F000546E912F2244DB309658CBA1

Function 008510F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00851114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 0085112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00850B9B,?,?,?), ref: 00851136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0085114D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b2689c77c913bcffa03be0c38655acd901f1c41a0f93e099482f5dcc730997fa
Instruction ID: 7a943a2b5d9f8d0f7d790bb5114d2b15dc6726411c28908fd2086044b6a56b1b
Opcode Fuzzy Hash: b2689c77c913bcffa03be0c38655acd901f1c41a0f93e099482f5dcc730997fa
Instruction Fuzzy Hash: 60014679200605AFDB115BA8EC8DA6A3B6EFF893A2B210458FA41C2360DB31DC008B70

Function 00850FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00850FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00850FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00850FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00850FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00851002

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b6645f0820338dd83aebbabe242545882757c69c237a6550d5fefc8949256e25
Instruction ID: 108d2b867b5ea848e7965c47272c410915d8ebe12eb760ff23b4854d0b71932f
Opcode Fuzzy Hash: b6645f0820338dd83aebbabe242545882757c69c237a6550d5fefc8949256e25
Instruction Fuzzy Hash: 41F04939201711ABDB214FA8AC8DF563BADFF89B62F504414FA45CA295CA70EC408B70

Function 00851014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0085102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00851036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00851045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0085104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00851062

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c1ad9f96ecf73a87721ed95122067908ae72bd60938f4b06dcbd9bc4c9772d2a
Instruction ID: 9e98deb8b720b8d661b9f5fc659445475d1cb6f3420bd92ae3ed23c56ba6917d
Opcode Fuzzy Hash: c1ad9f96ecf73a87721ed95122067908ae72bd60938f4b06dcbd9bc4c9772d2a
Instruction Fuzzy Hash: 67F04939200711ABDB219FA8EC8DF563BADFF89762F600414FA45CA294CA70E8408B70

Function 0086030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 00860324
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 00860331
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 0086033E
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 0086034B
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 00860358
CloseHandle.KERNEL32(?,?,?,?,0086017D,?,008632FC,?,00000001,00832592,?), ref: 00860365

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d7c879158ac3740425af22211f9c9d3030e58387f5bb4278af0ed930958db44f
Instruction ID: 2bac7cae6c140300f263cf6593901c519c32dfacd69bb8359d48c3ee704a3dde
Opcode Fuzzy Hash: d7c879158ac3740425af22211f9c9d3030e58387f5bb4278af0ed930958db44f
Instruction Fuzzy Hash: B4019072800B159FC7319F66D980813F7F5FE502163168A3ED19692A31C371A955DF84

Function 0082D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0082D752

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 0082D764
_free.LIBCMT ref: 0082D776
_free.LIBCMT ref: 0082D788
_free.LIBCMT ref: 0082D79A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cc9b9b3f6aade17b437323209d80daeaf119bc00f2bd0669eb3c6d074e658bca
Instruction ID: 0e040164fa00b300af4148de52ae541e27cb357069e0e912cceb471c7a425730
Opcode Fuzzy Hash: cc9b9b3f6aade17b437323209d80daeaf119bc00f2bd0669eb3c6d074e658bca
Instruction Fuzzy Hash: E4F0E732545324AB9621EB68F9C6D1A7FDDFB48710BA40D15F448E7502CB24FCC08A65

Function 00855C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00855C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00855C6F
MessageBeep.USER32(00000000), ref: 00855C87
KillTimer.USER32(?,0000040A), ref: 00855CA3
EndDialog.USER32(?,00000001), ref: 00855CBD

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 68cdb5d527b2e0eb31a6e96f2d0eb61e2271a37579c3b3ef8fa8d5c6f1c201f2
Instruction ID: 41e68187af60f4d1dd6818a16d0e4584ae5fc7bd4da10634809c0608232e9533
Opcode Fuzzy Hash: 68cdb5d527b2e0eb31a6e96f2d0eb61e2271a37579c3b3ef8fa8d5c6f1c201f2
Instruction Fuzzy Hash: 80018670500B04ABEB205B54DD5EFA67BB8FF10B06F00056DA593E14E5EBF4AD888BA0

Function 008222A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008222BE

Part of subcall function 008229C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000), ref: 008229DE
Part of subcall function 008229C8: GetLastError.KERNEL32(00000000,?,0082D7D1,00000000,00000000,00000000,00000000,?,0082D7F8,00000000,00000007,00000000,?,0082DBF5,00000000,00000000), ref: 008229F0

_free.LIBCMT ref: 008222D0
_free.LIBCMT ref: 008222E3
_free.LIBCMT ref: 008222F4
_free.LIBCMT ref: 00822305

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e5c70f13211934826378ca518e9b72dba36997b27152660da78562d43e30862f
Instruction ID: ab04529b5a92044aa3e41477592f760551e22e531fbfe2ab9652e2d26ff169e4
Opcode Fuzzy Hash: e5c70f13211934826378ca518e9b72dba36997b27152660da78562d43e30862f
Instruction Fuzzy Hash: 9AF05E74810131EB8A12EF58BC41D487F74FB1D7A1B41061AF824D22B6CB3508D1AFE5

Function 008095C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008095D4
StrokeAndFillPath.GDI32(?,?,008471F7,00000000,?,?,?), ref: 008095F0
SelectObject.GDI32(?,00000000), ref: 00809603
DeleteObject.GDI32 ref: 00809616
StrokePath.GDI32(?), ref: 00809631

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 7bb1e17fce5e4c9b7b420464c45532656f16f4ac89259aa43b5b8171bdc2a74f
Instruction ID: 955bc10d76f77049c362f7b74506b313d5923a7ec738e6952ca7c9c563ed203c
Opcode Fuzzy Hash: 7bb1e17fce5e4c9b7b420464c45532656f16f4ac89259aa43b5b8171bdc2a74f
Instruction Fuzzy Hash: B5F03C34005A08EBDBA25F69ED9CB643F71FB12362F448214F465950F2C73189A9DF20

Function 00820F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008210F9
__freea.LIBCMT ref: 00821117

Part of subcall function 00821537: _free.LIBCMT ref: 0082154F

Strings

a/p, xrefs: 008211DE
am/pm, xrefs: 0082117A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 09a605736e8a6800ddd17d037e820e8229da98beab292101d3f669be9dbe0559
Instruction ID: 4557f9cf66c684ea3bde69238e5ba3414f94e936a433723d8095f50bf789f54e
Opcode Fuzzy Hash: 09a605736e8a6800ddd17d037e820e8229da98beab292101d3f669be9dbe0559
Instruction Fuzzy Hash: 4BD1E03190022ADACF24DF68E85DABAB7B2FF25304F340119E901DBA90D7399DC1CB91

Function 00877B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00810242: EnterCriticalSection.KERNEL32(008C070C,008C1884,?,?,0080198B,008C2518,?,?,?,007F12F9,00000000), ref: 0081024D
Part of subcall function 00810242: LeaveCriticalSection.KERNEL32(008C070C,?,0080198B,008C2518,?,?,?,007F12F9,00000000), ref: 0081028A

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 008100A3: __onexit.LIBCMT ref: 008100A9

__Init_thread_footer.LIBCMT ref: 00877BFB

Part of subcall function 008101F8: EnterCriticalSection.KERNEL32(008C070C,?,?,00808747,008C2514), ref: 00810202
Part of subcall function 008101F8: LeaveCriticalSection.KERNEL32(008C070C,?,00808747,008C2514), ref: 00810235

Strings

5, xrefs: 00877C78
G, xrefs: 00877C7F
Variable must be of type 'Object'., xrefs: 00877C3A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 33359e8c652a3fb099bb2a5050ba0e62a44ee10c041fcb49f4db4fc175b91d74
Instruction ID: dffdd013fcc796ea8cb4012a2bec8af788de65f403a925423e6eb56d18f4a372
Opcode Fuzzy Hash: 33359e8c652a3fb099bb2a5050ba0e62a44ee10c041fcb49f4db4fc175b91d74
Instruction Fuzzy Hash: 7C916770A04209EFCB15EF98C8859ADBBB1FF48304F148059F91A9B29ADB71EE45CB51

Function 00852716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0085B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008521D0,?,?,00000034,00000800,?,00000034), ref: 0085B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00852760

Part of subcall function 0085B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008521FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0085B3F8

Part of subcall function 0085B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0085B355
Part of subcall function 0085B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00852194,00000034,?,?,00001004,00000000,00000000), ref: 0085B365
Part of subcall function 0085B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00852194,00000034,?,?,00001004,00000000,00000000), ref: 0085B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008527CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0085281A

Strings

@, xrefs: 00852832

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9bdbf0327c77130e0858818396051fa97c4e7b0b2a2b4a6d2f061546d62a5f55
Instruction ID: 9e6e6b66c5dcf86bec51ead3dbc847463f198947c37f732c3574cad858c97658
Opcode Fuzzy Hash: 9bdbf0327c77130e0858818396051fa97c4e7b0b2a2b4a6d2f061546d62a5f55
Instruction Fuzzy Hash: F3410D76900218BFDB10DBA8CD85AEEBBB8FF19701F104059FA55B7181DB706E49CBA1

Function 0082172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00821769
_free.LIBCMT ref: 00821834
_free.LIBCMT ref: 0082183E

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00821760, 00821767, 00821796, 008217CE

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\file.exe
API String ID: 2506810119-1505163051
Opcode ID: 593e988cb36cd673b39096dc8aebb7bf5a8f49b90b07b66387109c2ba3012b95
Instruction ID: bcfea1dcb19b44470945cb47ddf0204d9715b635406e221b549a77d1131d92af
Opcode Fuzzy Hash: 593e988cb36cd673b39096dc8aebb7bf5a8f49b90b07b66387109c2ba3012b95
Instruction Fuzzy Hash: 2F316F75A00228AFDF21DF99A8C9D9EBBFCFB95310B644166F804D7216D6708E80CB91

Function 0085C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0085C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0085C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,008C1990,014858D0), ref: 0085C395

Strings

0, xrefs: 0085C2DF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 9092c4dcecd15d6ba42700ed2e382cbe06f30e6eb98ee7ea1b4fb0d9fe450752
Instruction ID: 63f8871fd1890ee98004a356ac20e65408ba89516934895d8fe1e58febdc9a20
Opcode Fuzzy Hash: 9092c4dcecd15d6ba42700ed2e382cbe06f30e6eb98ee7ea1b4fb0d9fe450752
Instruction Fuzzy Hash: 0F416D312043059FDB20DF29D885B9ABBE4FF85315F14861DEDA5D7391D730A908CB62

Function 00884416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0088CC08,00000000,?,?,?,?), ref: 008844AA
GetWindowLongW.USER32 ref: 008844C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 008844D7

Strings

SysTreeView32, xrefs: 0088447C

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 23fb778bacda6e70328d17e459ee77c5b4c1496c8e43fef67c8db5e9e0615399
Instruction ID: 1a57a933e327f6599a8747e223b1d94a6e43d953820eeccc5ed5095cfae996b9
Opcode Fuzzy Hash: 23fb778bacda6e70328d17e459ee77c5b4c1496c8e43fef67c8db5e9e0615399
Instruction Fuzzy Hash: 33319E32211606ABDB20AE78DC45BEA7BA9FB08324F205725F975E22D1D774AC509760

Function 0087304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0087335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00873077,?,?), ref: 00873378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0087307A
_wcslen.LIBCMT ref: 0087309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00873106

Strings

255.255.255.255, xrefs: 00873095, 0087309A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: b6bb429525463509c0092be16ac3b3979bd2e90f994fae10df05cc20516d6b80
Instruction ID: 61ce1f384d231df69671e15929220533013c870ec4f5e8471507cf5a841001f0
Opcode Fuzzy Hash: b6bb429525463509c0092be16ac3b3979bd2e90f994fae10df05cc20516d6b80
Instruction Fuzzy Hash: D231AF392042059FCB20CF68C485AAA77A0FF14318F64C069E919CB3A6DB32EE45D762

Function 00884653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00884705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00884713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0088471A

Strings

msctls_updown32, xrefs: 00884684

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 7c5ee91e5f42ba920a1703461aa97bfe6919f3c6c2b80fc546ad073168915d42
Instruction ID: 59d7c3ec01302d234bc3a7299f64b1a4c05ce8fe48d3f3c88de04f4491f154f9
Opcode Fuzzy Hash: 7c5ee91e5f42ba920a1703461aa97bfe6919f3c6c2b80fc546ad073168915d42
Instruction Fuzzy Hash: 86213BB5600209AFEB10EF68DCC5DA637ADFB5A398B140059FA01DB351DB70EC11CB60

Function 008595AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0085961D

Strings

#notrayicon, xrefs: 008595B7
#requireadmin, xrefs: 008595D9
#OnAutoItStartRegister, xrefs: 008595F3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 41828feb3a311e4e867708deeebb6a20df656fcb69ea71e5b8729f3169367092
Instruction ID: 21c926d0170afb03904022a80e179e6a62ae128ddc57c95a39e27f4d096bd0ee
Opcode Fuzzy Hash: 41828feb3a311e4e867708deeebb6a20df656fcb69ea71e5b8729f3169367092
Instruction Fuzzy Hash: 04212672204215E6C731AA28DC02FB773DCFFA1316F544026FE89D7182EB559D9DC296

Function 008837B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00883840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00883850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00883876

Strings

Listbox, xrefs: 0088380F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 70d9bc4a5c381c7baa11c5a860e7cd41c82bca56f047437c735ba36287909565
Instruction ID: a28e3803147632d2e3df2b901c26e7111b9ab651b557e14c070a31327d77d2ba
Opcode Fuzzy Hash: 70d9bc4a5c381c7baa11c5a860e7cd41c82bca56f047437c735ba36287909565
Instruction Fuzzy Hash: ED219F72610218BBEF21AF54CC85FBB376EFF89B54F118124FA149B190DA71EC5287A0

Function 008649F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00864A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00864A5C
SetErrorMode.KERNEL32(00000000,?,?,0088CC08), ref: 00864AD0

Strings

%lu, xrefs: 00864A6F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: d79cf1ba8860a12489a54e7a912e5edfba705d0aee9e765d5018f7f168e05515
Instruction ID: 8ae172fb47554d58d7ff4cf5e9daee7321ced49fe4cd41f381063f12693f5d97
Opcode Fuzzy Hash: d79cf1ba8860a12489a54e7a912e5edfba705d0aee9e765d5018f7f168e05515
Instruction Fuzzy Hash: 53314B75A00108AFDB10DF68C985EAA7BE8FF08308F1480A5E909DB352D775ED45CB61

Function 008841EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0088424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00884264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00884271

Strings

msctls_trackbar32, xrefs: 00884226

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 4afefeb511b65ee6cab03b601b552ff3bd617ffcb2d74c48cd52d43fe06ddaac
Instruction ID: 7c1fdf72c10b04719ae9dd7d6c083a8e766095d08b647345e13f207f51dc40fb
Opcode Fuzzy Hash: 4afefeb511b65ee6cab03b601b552ff3bd617ffcb2d74c48cd52d43fe06ddaac
Instruction Fuzzy Hash: 8B11E332244209BEEF20AF28CC06FAB3BACFF95B54F110124FA55E2190D671DC219B20

Function 00852F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F6B57: _wcslen.LIBCMT ref: 007F6B6A

Part of subcall function 00852DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00852DC5
Part of subcall function 00852DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00852DD6
Part of subcall function 00852DA7: GetCurrentThreadId.KERNEL32 ref: 00852DDD
Part of subcall function 00852DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00852DE4

GetFocus.USER32 ref: 00852F78

Part of subcall function 00852DEE: GetParent.USER32(00000000), ref: 00852DF9

GetClassNameW.USER32(?,?,00000100), ref: 00852FC3
EnumChildWindows.USER32(?,0085303B), ref: 00852FEB

Strings

%s%d, xrefs: 00852FFF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: c3f6381670ed4662b5758752bf0fb81cd3f6a20273795df01424b9121083c60e
Instruction ID: c5481dcb8df78fc3ab22180209d03a9313e28f86ee7f550575ac2e5a8e1f99c2
Opcode Fuzzy Hash: c3f6381670ed4662b5758752bf0fb81cd3f6a20273795df01424b9121083c60e
Instruction Fuzzy Hash: D911D2B1200209ABCF50BF688C85EED376AFF94305F044079BD09DB296EE349D098B71

Function 00885882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008858C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 008858EE
DrawMenuBar.USER32(?), ref: 008858FD

Strings

0, xrefs: 0088588F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 31a79dce561968ee1872d096282c324c516b887e78ece909c2ff176f87ad7e8a
Instruction ID: 74ff8e1520c0d8706c0de8742f8f7a9d6ca2b82345c89d5124a9a192ffc8967b
Opcode Fuzzy Hash: 31a79dce561968ee1872d096282c324c516b887e78ece909c2ff176f87ad7e8a
Instruction Fuzzy Hash: 5F015B31500218EEDB61AF15EC44BAEBFB4FB45360F1080A9E949DA1A2DB308A84DF21

Function 0085007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ce8999ca19f213b9a9a07a17363a03f3eb366290d91d355fae108c9aa16d90
Instruction ID: 4c88defa9867b0403faa6e7deac74ae7dffef57cf1977d8c486940bd75d9bdc2
Opcode Fuzzy Hash: b8ce8999ca19f213b9a9a07a17363a03f3eb366290d91d355fae108c9aa16d90
Instruction Fuzzy Hash: 53C14B75A0020AEFDB15CFA8C894AAEB7B5FF48705F208598E905EB251D731ED45CF90

Function 00823E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00823F0B
__alldvrm.LIBCMT ref: 0082410C
__alldvrm.LIBCMT ref: 0082412E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: c9a37ae8efbf0ab39f8728714eab13be96af996d05731f7f51550b57a021f526
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: EAA15772E007A69FDB21CF18E8917AEBBE4FF61350F14416DE585DB281C63899C1C761

Function 0087342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00873459
CoUninitialize.OLE32 ref: 00873463
VariantInit.OLEAUT32(?), ref: 0087346E
VariantClear.OLEAUT32(?), ref: 0087371B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 96b631b9df224b0fccdfc32077f16cc7d3e333b436f7d99e37c1ccab2f7e68c6
Instruction ID: 7f197cd669ec10ee7fb09422f4742b0076e7b1b80cb20715de7881d309f92688
Opcode Fuzzy Hash: 96b631b9df224b0fccdfc32077f16cc7d3e333b436f7d99e37c1ccab2f7e68c6
Instruction Fuzzy Hash: 56A14875204204DFC714DF28C885A2AB7E5FF88724F048859F98ADB366DB74EE05DB92

Function 00850436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0088FC08,?), ref: 008505F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0088FC08,?), ref: 00850608
CLSIDFromProgID.OLE32(?,?,00000000,0088CC40,000000FF,?,00000000,00000800,00000000,?,0088FC08,?), ref: 0085062D
_memcmp.LIBVCRUNTIME ref: 0085064E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: fd3898c84f8e2dddb7fb32dabbc8a517732fd622deef74e51a497bfa73e12aa1
Instruction ID: 519bef944197ad9c812720adc1379ccc1ad1f6bd4a938ceb56c5106214246d33
Opcode Fuzzy Hash: fd3898c84f8e2dddb7fb32dabbc8a517732fd622deef74e51a497bfa73e12aa1
Instruction Fuzzy Hash: FB81BA75A00209EFCB04DF94C984DEEB7B9FF89315B204558E916EB250DB71AE4ACF60

Function 0087A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0087A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0087A6BA

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0087A79C
CloseHandle.KERNEL32(00000000), ref: 0087A7AB

Part of subcall function 0080CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00833303,?), ref: 0080CE8A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 7099dc95ce1655dae6e022357a6090e91d9ea4ce65a69f8a4803f7b889ff4a80
Instruction ID: aac911db82d560d066e0dde8508c02b43b9daa3a10170b648894474006601f9d
Opcode Fuzzy Hash: 7099dc95ce1655dae6e022357a6090e91d9ea4ce65a69f8a4803f7b889ff4a80
Instruction Fuzzy Hash: 29512C715083049FD714EF24C886A6BBBE8FF89754F00892DF689D7292EB34D904CB92

Function 00831391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008314C0

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 639089de459438af3f6a1d447667f294c2d0604f7250efee2efa2f915212a94a
Instruction ID: 708b61203d23a76f0631c5a3c761a131bb5c4fa52f27f716b032768b8f380700
Opcode Fuzzy Hash: 639089de459438af3f6a1d447667f294c2d0604f7250efee2efa2f915212a94a
Instruction Fuzzy Hash: 25417F31A001146BDF217BBD9C4EAFE3AAAFFC1B70F144625F419D2292E674488153E7

Function 00886278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 008862E2
ScreenToClient.USER32(?,?), ref: 00886315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00886382

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7d0d375bd647fa4bac17d9796f401acc34493167d96a36a1f20e06bc05cb44e5
Instruction ID: c7977c96db74d398606b2f3c4c5427dfc43fe15b16ff1ac71f75c9b0c2b94bd3
Opcode Fuzzy Hash: 7d0d375bd647fa4bac17d9796f401acc34493167d96a36a1f20e06bc05cb44e5
Instruction Fuzzy Hash: E7510774A00209EFDF10EF68D984AAE7BB5FF45364F108169F915DB2A1E730AD91CB50

Function 00871AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00871AFD
WSAGetLastError.WSOCK32 ref: 00871B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00871B8A
WSAGetLastError.WSOCK32 ref: 00871B94

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 257bf619ee56ed24e72d624d6282ca7e6a8be5978458fce821ca52e1c36c1819
Instruction ID: b97da1daf293c7a4ac53054ad430755a828492eb4769660f6002b491a2a44b56
Opcode Fuzzy Hash: 257bf619ee56ed24e72d624d6282ca7e6a8be5978458fce821ca52e1c36c1819
Instruction Fuzzy Hash: 37418D35600204AFEB20AF28C88AF3977E5EB48718F54C458FA1A9F7D2D676DD418B91

Function 0082B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfabdfe65e3511b29b51e270c59cbd1cf4cd2a515f4f63962fa9666f8b088a50
Instruction ID: f5d58c1aa38605195e0d1b0f53db888146d4a6d1df5b87d7e8f73a991b24957d
Opcode Fuzzy Hash: bfabdfe65e3511b29b51e270c59cbd1cf4cd2a515f4f63962fa9666f8b088a50
Instruction Fuzzy Hash: 16411771A00724BFD724AF7CDC81BAABBE9FF88710F10452AF541DB282D77199818781

Function 008656D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00865783
GetLastError.KERNEL32(?,00000000), ref: 008657A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008657CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008657FA

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8cf56eee0ed8810a21926298bddcd569dbcdca7fefbc642100b1448a3f546329
Instruction ID: 91b1cd9ec0450a090739aef42abe71153e9c23f8faebd3ebae5344b15afcd695
Opcode Fuzzy Hash: 8cf56eee0ed8810a21926298bddcd569dbcdca7fefbc642100b1448a3f546329
Instruction Fuzzy Hash: 4B414E35600615DFCB15DF15C544A2EBBE2FF89320F198498E94AAB362CB78FD04CB91

Function 0082D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00816D71,00000000,00000000,008182D9,?,008182D9,?,00000001,00816D71,8BE85006,00000001,008182D9,008182D9), ref: 0082D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0082D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0082D9AB
__freea.LIBCMT ref: 0082D9B4

Part of subcall function 00823820: RtlAllocateHeap.NTDLL(00000000,?,008C1444,?,0080FDF5,?,?,007FA976,00000010,008C1440,007F13FC,?,007F13C6,?,007F1129), ref: 00823852

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0a195d4d4b253bc35db11ab0a83c6213f913dd9639c34740b4a45d22b50e6516
Instruction ID: 731734f852279246dc8350e633f5b13b5a99031dd273024b36086855785d9a21
Opcode Fuzzy Hash: 0a195d4d4b253bc35db11ab0a83c6213f913dd9639c34740b4a45d22b50e6516
Instruction Fuzzy Hash: 45319FB2A0022AABDB24DF69EC85EAE7FA5FF40310B154168FC04D6250E735CDD1CBA1

Function 008852C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00885352
GetWindowLongW.USER32(?,000000F0), ref: 00885375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00885382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008853A8

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 17190de16fcac1f8bc888f0f6237a7ada59b434bc2046d2cab8cc632658a2d49
Instruction ID: 72c653e5a7cf7936b394b8e943ddac9054482267baa5d63b147c38aa949b99f1
Opcode Fuzzy Hash: 17190de16fcac1f8bc888f0f6237a7ada59b434bc2046d2cab8cc632658a2d49
Instruction Fuzzy Hash: 50319C34A55A0CFFEB30AA18CC56FE97765FB06391F984101BA11D63E1C7B4AE809B52

Function 0085AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 0085ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0085AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0085AC74
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 0085ACC6

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: db4de6b7cd6d1d351993243f103ea54d10419fb21af81e3bb06ce3667019639b
Instruction ID: ca78c67ab685ca34e98516cedb9730af1707038738c0ec8b93ee54ab51e7e22e
Opcode Fuzzy Hash: db4de6b7cd6d1d351993243f103ea54d10419fb21af81e3bb06ce3667019639b
Instruction Fuzzy Hash: 80311430A00218AFEF28CB68C8457FA7AA5FB89312F04431EE895D61D0D3748D8D8762

Function 00887674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0088769A
GetWindowRect.USER32(?,?), ref: 00887710
PtInRect.USER32(?,?,00888B89), ref: 00887720
MessageBeep.USER32(00000000), ref: 0088778C

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f217aa463bd78bc409c1aeec12bd7b07a1851f46a099df48846c767ecc5b2e56
Instruction ID: 334267b0efb470bab11cae6e6afa734bf1e21a16588936c9c12d327bb05eb6bc
Opcode Fuzzy Hash: f217aa463bd78bc409c1aeec12bd7b07a1851f46a099df48846c767ecc5b2e56
Instruction Fuzzy Hash: 6941AB34A09255DFDB11EF68C898EA9BBF4FB4A304F6840A8E814DB261D330E945CF90

Function 008816DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 008816EB

Part of subcall function 00853A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00853A57
Part of subcall function 00853A3D: GetCurrentThreadId.KERNEL32 ref: 00853A5E
Part of subcall function 00853A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,008525B3), ref: 00853A65

GetCaretPos.USER32(?), ref: 008816FF
ClientToScreen.USER32(00000000,?), ref: 0088174C
GetForegroundWindow.USER32 ref: 00881752

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 62aaf9c7aa91aff6aa61080232d32b86e8954aefe5d966780f6ea045fd6ec87f
Instruction ID: 55c7364e076cc75a61611c379b1f78eda982e275e284759487f0d89a9cfdc530
Opcode Fuzzy Hash: 62aaf9c7aa91aff6aa61080232d32b86e8954aefe5d966780f6ea045fd6ec87f
Instruction Fuzzy Hash: 0A315E75D00149AFCB00EFA9C885CAEBBFDFF48304B5480A9E515E7311DA359E45CBA1

Function 00888FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

GetCursorPos.USER32(?), ref: 00889001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00847711,?,?,?,?,?), ref: 00889016
GetCursorPos.USER32(?), ref: 0088905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00847711,?,?,?), ref: 00889094

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: ec79c28317f13b4777838591aeb14dc1af51f9caf95a1f8e55ab6fd4153eeae5
Instruction ID: 5e584fb8f3493f6f4c407ad5af7991143a23e4cdeeb8995053cbb4f283427a82
Opcode Fuzzy Hash: ec79c28317f13b4777838591aeb14dc1af51f9caf95a1f8e55ab6fd4153eeae5
Instruction Fuzzy Hash: 2F219F35600418EFDF259F98CC98EFA7BF9FB4A360F184069F946972A2D3319950DB60

Function 0085D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0088CB68), ref: 0085D2FB
GetLastError.KERNEL32 ref: 0085D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0085D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0088CB68), ref: 0085D376

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 18450044ad2290f4597a4807999861c889ac5a5bf7617258b292b89aaba4b5a8
Instruction ID: 89135fe49c0b0654d11efeddaa95ea22a28ae4464f112b73b69bd659e1297435
Opcode Fuzzy Hash: 18450044ad2290f4597a4807999861c889ac5a5bf7617258b292b89aaba4b5a8
Instruction Fuzzy Hash: 43215C705093059F8720EF28C8858AAB7E4FE56365F104A1DFCA9C73A1E731D94ACB93

Function 00851571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00851014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0085102A
Part of subcall function 00851014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00851036
Part of subcall function 00851014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00851045
Part of subcall function 00851014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0085104C
Part of subcall function 00851014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00851062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008515BE
_memcmp.LIBVCRUNTIME ref: 008515E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00851617
HeapFree.KERNEL32(00000000), ref: 0085161E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: bb62a255c2c40cf4f1bd0112d3b2eed9cf49e6c3cb603db222397c2eff19f1b9
Instruction ID: 66eb22cf05721fdfaa64d97191d4d861faca9d24052ad225971dfa94fe4df752
Opcode Fuzzy Hash: bb62a255c2c40cf4f1bd0112d3b2eed9cf49e6c3cb603db222397c2eff19f1b9
Instruction Fuzzy Hash: 12215A71E40109ABDF00DFA4C949BEEB7B8FF54345F084459E851E7241E730AA09CB60

Function 00882782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0088280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00882824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00882832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00882840

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: c4332c0b222901d90f3b71da9644a49c754104a7c44f06553ad70be764471da2
Instruction ID: 932837aa75c0835d44f3992d840ac2a0f3ba8b1e1443eec1f89490719b86e826
Opcode Fuzzy Hash: c4332c0b222901d90f3b71da9644a49c754104a7c44f06553ad70be764471da2
Instruction Fuzzy Hash: 3421A135204515AFDB14AB28C855FAA7B95FF45324F148258F426CB6E2CB75FC42C790

Function 008578F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00858D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0085790A,?,000000FF,?,00858754,00000000,?,0000001C,?,?), ref: 00858D8C
Part of subcall function 00858D7D: lstrcpyW.KERNEL32(00000000,?,?,0085790A,?,000000FF,?,00858754,00000000,?,0000001C,?,?,00000000), ref: 00858DB2
Part of subcall function 00858D7D: lstrcmpiW.KERNEL32(00000000,?,0085790A,?,000000FF,?,00858754,00000000,?,0000001C,?,?), ref: 00858DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00858754,00000000,?,0000001C,?,?,00000000), ref: 00857923
lstrcpyW.KERNEL32(00000000,?,?,00858754,00000000,?,0000001C,?,?,00000000), ref: 00857949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00858754,00000000,?,0000001C,?,?,00000000), ref: 00857984

Strings

cdecl, xrefs: 0085797B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 53f23451002de0fde9279558d9931618d715edbfb6919222ba934594a58b7bf5
Instruction ID: d2f7e19c9f9998f68772ca299f63107e0ad1094cab05c77a9616f2e24a604f25
Opcode Fuzzy Hash: 53f23451002de0fde9279558d9931618d715edbfb6919222ba934594a58b7bf5
Instruction Fuzzy Hash: C511063A200242ABCB159F39DC44E7A7BA9FF85351B40802AFD02CB3A4EB359815C761

Function 00887CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00887D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00887D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00887D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0086B7AD,00000000), ref: 00887D6B

Part of subcall function 00809BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00809BB2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 355a5bc4330fe42c17da26c5e8c4d95811039b978a7b22d53e89a83b3f5a4f04
Instruction ID: d7e750184440f5cbcc78480b27cca082cf1e3272ca5c108c10271c9cac2ab342
Opcode Fuzzy Hash: 355a5bc4330fe42c17da26c5e8c4d95811039b978a7b22d53e89a83b3f5a4f04
Instruction Fuzzy Hash: 80115E32605615AFCB10AF68CC48E663BB5FF463A0B254728F835D72E5E730D951DB50

Function 00885660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 008856BB
_wcslen.LIBCMT ref: 008856CD
_wcslen.LIBCMT ref: 008856D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00885816

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 0e0122f15a13b61ffad21fb19345c9947c6a9b35c0e8fb3f1943205561881236
Instruction ID: ca79630810d1a11fe59be5225692d2561d6fde55541bf9e06fc9a8dc2f73276e
Opcode Fuzzy Hash: 0e0122f15a13b61ffad21fb19345c9947c6a9b35c0e8fb3f1943205561881236
Instruction Fuzzy Hash: F311BE75A10608A6DF20EF65DC85AEE7BBCFF21764F10402AF915E6191EB70CA84CB64

Function 00821D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 474f4d9afa09323944dcdf4cf95a34a5d5a52ebe4edc20dc05e8498e2cb8b88b
Instruction ID: 88175b494b25252dd699506a92e086a18c7eb946fcfe42bbf3082122f8f5735d
Opcode Fuzzy Hash: 474f4d9afa09323944dcdf4cf95a34a5d5a52ebe4edc20dc05e8498e2cb8b88b
Instruction Fuzzy Hash: A1018BB220962ABEFA21267C7CC8F276A1CFF613B8B300325F521E11D2DB708C815270

Function 00851A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00851A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00851A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00851A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00851A8A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bc6d7704565fdbc2022ad2502cb3bc809a389049210381d8902847efaad83953
Instruction ID: 062f46e732cc45b1821d2c1559bde2f70e4196b4ba9e8b17ad25e6acbb2a389d
Opcode Fuzzy Hash: bc6d7704565fdbc2022ad2502cb3bc809a389049210381d8902847efaad83953
Instruction Fuzzy Hash: BD112A3A901229FFEF12DBA4C985FADBB79FB04750F200091EA00B7290D7716E50DB94

Function 0085E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0085E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0085E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0085E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0085E24D

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 9cf40049e239a243de6f45498d2acbb162643e8bbd0eb64a31738211f519fd5c
Instruction ID: 2fe1990bf55a739b13c05f565e3b6bcf2479879455d5c0d7e4974c2d2a97966d
Opcode Fuzzy Hash: 9cf40049e239a243de6f45498d2acbb162643e8bbd0eb64a31738211f519fd5c
Instruction Fuzzy Hash: 02110476904258BBCB059FBCAC49E9E7FACFB46326F004255F824E3395D7B49A0487B0

Function 0081D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0081CFF9,00000000,00000004,00000000), ref: 0081D218
GetLastError.KERNEL32 ref: 0081D224
__dosmaperr.LIBCMT ref: 0081D22B
ResumeThread.KERNEL32(00000000), ref: 0081D249

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: de3164914b2c98230dd1affa9651196c1cd2dcb732ac48f754a9355622920756
Instruction ID: acc80d1c7925730dc7a2be4ca2af3ba894ebc0156b57243408180c7ebb5bb701
Opcode Fuzzy Hash: de3164914b2c98230dd1affa9651196c1cd2dcb732ac48f754a9355622920756
Instruction Fuzzy Hash: 5001D236805308BBCB115BA9DC09BEA7B6DFF81330F204219F935D21D1DB719981C7A1

Function 007F600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007F604C
GetStockObject.GDI32(00000011), ref: 007F6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 007F606A

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 4027525a90fc7ee06857ea152676bb2a79a8ec121c03d98649a15b4fd853f5ea
Instruction ID: 864a0047d4bd15264c6a6d43131fe87f223fde7c85e64be6eded09d409056e47
Opcode Fuzzy Hash: 4027525a90fc7ee06857ea152676bb2a79a8ec121c03d98649a15b4fd853f5ea
Instruction Fuzzy Hash: F4115E7250150DBFEF125FA89C44EFA7B69FF19754F140115FA1552110DB369C609BA0

Function 00813B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00813B56

Part of subcall function 00813AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00813AD2
Part of subcall function 00813AA3: ___AdjustPointer.LIBCMT ref: 00813AED

_UnwindNestedFrames.LIBCMT ref: 00813B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00813B7C
CallCatchBlock.LIBVCRUNTIME ref: 00813BA4

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: e61519fdfe08602329358f7ad4552b7c5b41a79d4add1c494c391257eb396559
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: DB012972100148BBDF125E99CC42EEB3B6DFF48764F044014FE48A6121D732E9A1DBA1

Function 00823073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007F13C6,00000000,00000000,?,0082301A,007F13C6,00000000,00000000,00000000,?,0082328B,00000006,FlsSetValue), ref: 008230A5
GetLastError.KERNEL32(?,0082301A,007F13C6,00000000,00000000,00000000,?,0082328B,00000006,FlsSetValue,00892290,FlsSetValue,00000000,00000364,?,00822E46), ref: 008230B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0082301A,007F13C6,00000000,00000000,00000000,?,0082328B,00000006,FlsSetValue,00892290,FlsSetValue,00000000), ref: 008230BF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 31c2ab3e361022b8473eef741a0a884d8047b7ed1e7471c2d04cca9767b00be3
Instruction ID: 6096cdec3a17194a87ee1bbf0863024c559da65107b0065e7de67be9e5aab942
Opcode Fuzzy Hash: 31c2ab3e361022b8473eef741a0a884d8047b7ed1e7471c2d04cca9767b00be3
Instruction Fuzzy Hash: D801D432711A36ABCB214A78BC54A577B98FF05BA5B200624F905E3280CB35D981C7F0

Function 00857464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0085747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00857497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 008574AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 008574CA

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 5056a6ec4e6c76ded19419940cfde353fdcf141232858768f40f614425ef1654
Instruction ID: d0013eb24add23d79c032bf9e10e214b1ad3fef112083c3f661ea602f7d2d4f2
Opcode Fuzzy Hash: 5056a6ec4e6c76ded19419940cfde353fdcf141232858768f40f614425ef1654
Instruction Fuzzy Hash: 3511ADB5205315ABE7208F28EC08F927BFCFB00B05F10C569EE16D6191D7B0E948DBA5

Function 0085B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0085ACD3,?,00008000), ref: 0085B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0085ACD3,?,00008000), ref: 0085B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0085ACD3,?,00008000), ref: 0085B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0085ACD3,?,00008000), ref: 0085B126

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: badffd3aabe2dfc7f5aa22e48cb1343859db750f9f5a9151302e776a651bfb60
Instruction ID: 619c1b917ffe8369cd6f8e6c4d8b30847c0b469e84e9be486b8e9b7bb8313bec
Opcode Fuzzy Hash: badffd3aabe2dfc7f5aa22e48cb1343859db750f9f5a9151302e776a651bfb60
Instruction Fuzzy Hash: BB115B31C0192DEBCF00AFE9E9986EEBF78FF19712F114485D941B2285DB3056548B61

Function 00852DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00852DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00852DD6
GetCurrentThreadId.KERNEL32 ref: 00852DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00852DE4

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: f50714f719f7b725280faa426afeef1050881cc0b3350d7c6bc470a22a9e80c4
Instruction ID: 4ed35181dae472801e271425135b136283147462f2d22bff5bd984085ced93b6
Opcode Fuzzy Hash: f50714f719f7b725280faa426afeef1050881cc0b3350d7c6bc470a22a9e80c4
Instruction Fuzzy Hash: 9BE06DB11012287AD7205B66AC0DEEB3E6CFB53BA2F000229B906D1080AAA48844C7B0

Function 00888863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00809639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00809693
Part of subcall function 00809639: SelectObject.GDI32(?,00000000), ref: 008096A2
Part of subcall function 00809639: BeginPath.GDI32(?), ref: 008096B9
Part of subcall function 00809639: SelectObject.GDI32(?,00000000), ref: 008096E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00888887
LineTo.GDI32(?,?,?), ref: 00888894
EndPath.GDI32(?), ref: 008888A4
StrokePath.GDI32(?), ref: 008888B2

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 922d8fa1e05d163b4840b25d278de5e1e1e19cbdc2673088420e8154c9814124
Instruction ID: 7610e867d27ac3179bbe5cbf1a5f52e6bc6509dd108e8232c416f148f2aec70e
Opcode Fuzzy Hash: 922d8fa1e05d163b4840b25d278de5e1e1e19cbdc2673088420e8154c9814124
Instruction Fuzzy Hash: 1CF03436041658FAEB126F98AC0EFCA3E69BF06310F848000FA11A50E2C7B55521CBAA

Function 008098B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008098CC
SetTextColor.GDI32(?,?), ref: 008098D6
SetBkMode.GDI32(?,00000001), ref: 008098E9
GetStockObject.GDI32(00000005), ref: 008098F1

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 27e6e0a1fd725e519f47a9d5e098338c9c621fdd560a1b767d7425b424dc1df0
Instruction ID: 1ff9e8b707b811687710ac56f79f994dbadb4fdec4cc5eb78127dfeeec1f5707
Opcode Fuzzy Hash: 27e6e0a1fd725e519f47a9d5e098338c9c621fdd560a1b767d7425b424dc1df0
Instruction Fuzzy Hash: DCE06D31244284AEDB215B78BC0DBE83F20FB12336F04821AF6FA980E5C37146409B20

Function 0085162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00851634
OpenThreadToken.ADVAPI32(00000000,?,?,?,008511D9), ref: 0085163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008511D9), ref: 00851648
OpenProcessToken.ADVAPI32(00000000,?,?,?,008511D9), ref: 0085164F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: e04ab0cd1d0351891dee8661c4795ee0d22a7dafa2b825ff8d8b1929ab45d433
Instruction ID: a86eda1931afeeadf7977f5b1bbe3193460bee13eb214488de62e8bba20e52a0
Opcode Fuzzy Hash: e04ab0cd1d0351891dee8661c4795ee0d22a7dafa2b825ff8d8b1929ab45d433
Instruction Fuzzy Hash: 81E04632602212ABDB201BB9AE0DB863BA8FF55792F158808F645C9084E63484458B60

Function 0084D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0084D858
GetDC.USER32(00000000), ref: 0084D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0084D882
ReleaseDC.USER32(?), ref: 0084D8A3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 87a22f5463722cd711e4f867085956150c30ee31cbe74573d8d5a810fb952b4e
Instruction ID: 07b68a80c62bf07d14058e3a7c733d6b3f5150bb0c914c4760eaea160ebf24df
Opcode Fuzzy Hash: 87a22f5463722cd711e4f867085956150c30ee31cbe74573d8d5a810fb952b4e
Instruction Fuzzy Hash: 2EE01AB5800209DFCB419FB4DD0C66DFBB1FB18310F149429E906E7254D7384901AF60

Function 0084D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0084D86C
GetDC.USER32(00000000), ref: 0084D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0084D882
ReleaseDC.USER32(?), ref: 0084D8A3

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c7d63efcaf0119fc1ba7937641cab6caec79a39b9e8161adc6c3d8c4ae77c86c
Instruction ID: 9c9464482f4655e50d738e892619ae5f5bd29f46edce43d75e382f4c84cdd890
Opcode Fuzzy Hash: c7d63efcaf0119fc1ba7937641cab6caec79a39b9e8161adc6c3d8c4ae77c86c
Instruction Fuzzy Hash: F2E012B5800209EFCB41AFB8E80C66DBBB1FB18310B149018E90AE7254DB385901AF60

Function 00864D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007F7620: _wcslen.LIBCMT ref: 007F7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00864ED4

Strings

LPT, xrefs: 00864DFB
*, xrefs: 00864E10

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: b6408ff0423b333af30af38df7c5a053fb389202e17ba478eeba7a7fc4009fe7
Instruction ID: ea586c1cf8e3548b3c526a7f4945aa47c4fbb394df8f0e970080b198a05b7a55
Opcode Fuzzy Hash: b6408ff0423b333af30af38df7c5a053fb389202e17ba478eeba7a7fc4009fe7
Instruction Fuzzy Hash: 10912B75A002089FCB14DF58C484EADBBF1FF44318F199099E50A9B3A2DB75ED85CB91

Function 0081E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0081E30D

Strings

pow, xrefs: 0081E2E5, 0081E302

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c77c38645ebc214494c93c4fbb681c3d94c3e50459a20787b578d744c760cf25
Instruction ID: c4e7d991ff1edbd51453b001ef8512c3e8593c1199e741d01975b940ed29170e
Opcode Fuzzy Hash: c77c38645ebc214494c93c4fbb681c3d94c3e50459a20787b578d744c760cf25
Instruction Fuzzy Hash: 9D515C61A0C116A6CB157729D9413FA3BA8FF40B40F3449A9F8E6C23EDDB358CC59A46

Function 0080E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0080E1B1

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: d77f4395de2314ad9f1f45743cb348ab30fa45a2757ce361f1f52a20db384690
Instruction ID: aac7f887244c04b7109714a83a720a362cfb5f72c6efaf9a34048bf518af0c51
Opcode Fuzzy Hash: d77f4395de2314ad9f1f45743cb348ab30fa45a2757ce361f1f52a20db384690
Instruction Fuzzy Hash: 7051223550124EDFDF15DF28C885ABA7BA8FF15324F244469F891DB2D0DA349D42CBA0

Function 0080F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0080F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0080F2BB

Strings

@, xrefs: 0080F2AF

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: fe9467af365d5da6c865e9efd18bff35dd70b5026be454d4369e94a7c0beda2f
Instruction ID: 9b832f6c82e0a78e6b972a015e5845cb4c0fc45fa15fce5af7469fe5f39db6ef
Opcode Fuzzy Hash: fe9467af365d5da6c865e9efd18bff35dd70b5026be454d4369e94a7c0beda2f
Instruction Fuzzy Hash: 50512972418749DBD320AF14DC8ABABB7F8FF85300F81885DF29941195EB748929CB67

Function 00875745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 008757E0
_wcslen.LIBCMT ref: 008757EC

Strings

CALLARGARRAY, xrefs: 008757E6, 008757EB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 9b54bffd2bb7e6c8731437a61c31b9f30200b347df1ec26b810309aa5726206f
Instruction ID: 34052a9e499ccfaf158f08e3512eac30f173f63936dab254f842b11e860e25c9
Opcode Fuzzy Hash: 9b54bffd2bb7e6c8731437a61c31b9f30200b347df1ec26b810309aa5726206f
Instruction Fuzzy Hash: 1341BF31A002099FCB14DFA9C8859BEBBB5FF59324F148029E509E7395E770DD81CBA1

Function 0086D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0086D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0086D13A

Strings

|, xrefs: 0086D10B

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 1eb1afb5205950d5854fc698ddebf251c0bf89f28323445ead4745b6cd623a02
Instruction ID: 5bc404ba6113fe82f584f1cc702e0b0386f9547b0f432bc86f63d11013d25b84
Opcode Fuzzy Hash: 1eb1afb5205950d5854fc698ddebf251c0bf89f28323445ead4745b6cd623a02
Instruction Fuzzy Hash: D4313D71D00209EBCF15EFA5CC85AEEBFB9FF05340F000019F915A6266E775AA56CB60

Function 0088356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00883621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0088365C

Strings

static, xrefs: 008835BC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: af3a1a905a82a18f3b7313d309ec2293660e0fcc9c528b0b03a4b97118c02008
Instruction ID: 1737c58bdc82824254cdff12ba7006b3971c59657c2bf42d765c0c16336be74c
Opcode Fuzzy Hash: af3a1a905a82a18f3b7313d309ec2293660e0fcc9c528b0b03a4b97118c02008
Instruction Fuzzy Hash: 11319E71110608AEDB10EF28DC80EFB73A9FF98B24F109619F9A5D7280DB34AD91D760

Function 00884537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0088461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00884634

Strings

', xrefs: 0088458E

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: ee3d6d0f65c9d5737a963e3ca9570a563eb3a280b3dc2a31c44f7b0b560d6961
Instruction ID: e4c182045d20d7bae2bed48b0108a064a3581462d953f31412b0483e9a1c4f54
Opcode Fuzzy Hash: ee3d6d0f65c9d5737a963e3ca9570a563eb3a280b3dc2a31c44f7b0b560d6961
Instruction Fuzzy Hash: 913116B5A0030A9FDB14DFA9C980BDABBB5FF19300F10506AE904EB341E770A941CF90

Function 008831EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0088327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00883287

Strings

Combobox, xrefs: 00883249

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: b00c2b6b536d6e0323f4926f7f3b990195288ffc5a7bee5ef07fc7f755372e57
Instruction ID: 8fa355de8fd6b8ac0f7a4982766d6d9891c4b3d9451f72aa640e4bd658d5fea0
Opcode Fuzzy Hash: b00c2b6b536d6e0323f4926f7f3b990195288ffc5a7bee5ef07fc7f755372e57
Instruction Fuzzy Hash: 3311B271300208BFEF21AE54DC84EBB376AFB94765F104128F918D7291D7759D518760

Function 00883710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007F600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 007F604C
Part of subcall function 007F600E: GetStockObject.GDI32(00000011), ref: 007F6060
Part of subcall function 007F600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 007F606A

GetWindowRect.USER32(00000000,?), ref: 0088377A
GetSysColor.USER32(00000012), ref: 00883794

Strings

static, xrefs: 00883757

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 7b09b4ae5da108daae9aae6e99e032eaee8303dfedee349c3aff6b49a768c1f7
Instruction ID: ef21b30da5a1bc77eaaff6a805b6467db0bf8e307c8fbf41333d4cfadfee282c
Opcode Fuzzy Hash: 7b09b4ae5da108daae9aae6e99e032eaee8303dfedee349c3aff6b49a768c1f7
Instruction Fuzzy Hash: 8B1129B2610209AFDF00EFA8CC45EFA7BB8FF08714F004525F955E2250E735E8519B60

Function 0086CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0086CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0086CDA6

Strings

<local>, xrefs: 0086CD66

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 7c193e62022a2d9b879d89f0a59523567562bba985993886ba6a5a064b9def40
Instruction ID: 242830c6a5490ecefd3da321b70066efe8f630052d472d9b7fcf081c0fde4e04
Opcode Fuzzy Hash: 7c193e62022a2d9b879d89f0a59523567562bba985993886ba6a5a064b9def40
Instruction Fuzzy Hash: A811C271205635BAD7385BA68C49EF7BEACFF127A8F01422AB189C3180D7749844D6F0

Function 00883429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 008834AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008834BA

Strings

edit, xrefs: 0088348F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 882ef1f8e55e0bf5599a9b94e8a08eae945ef703e8fbe632fc90b71886edf653
Instruction ID: e871b0e1aaeeab32fcb2057ad4441e6acdf919b980eb45651f1d1836c9a32766
Opcode Fuzzy Hash: 882ef1f8e55e0bf5599a9b94e8a08eae945ef703e8fbe632fc90b71886edf653
Instruction Fuzzy Hash: E3119D71100108AAEF11AE68DC44EBA376AFF25B78F504324F961D31D4C775ED519768

Function 00856C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00856CB6
_wcslen.LIBCMT ref: 00856CC2

Strings

STOP, xrefs: 00856CBC, 00856CC1

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 1f6dedc3e51f15348b45f86e81d4f34c51fe04cff9e2a62c9d1f382d8e3c5ff4
Instruction ID: 15560a2c06e62f352af8c4a87bd1ba708a289ca174f7d6aaa82792d6f575ac0d
Opcode Fuzzy Hash: 1f6dedc3e51f15348b45f86e81d4f34c51fe04cff9e2a62c9d1f382d8e3c5ff4
Instruction Fuzzy Hash: C9010832A0052A8ACB219FBDDC809BF77B4FF607117800924ED52D7290FA31DC18C650

Function 00851CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00851D4C

Strings

ListBox, xrefs: 00851D16
ComboBox, xrefs: 00851CEB

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 98d9e9e42fc76a535caed6b0dc66363c02da9867a0dd662ffafbec84ed9eda05
Instruction ID: a397deeafe17d2b0ce5d2321b1fdd254a1d205e061c14bd76d881082a5321104
Opcode Fuzzy Hash: 98d9e9e42fc76a535caed6b0dc66363c02da9867a0dd662ffafbec84ed9eda05
Instruction Fuzzy Hash: 4401B575601218AB8F04EFA4CC59AFE7778FB56390B440519FD32E73D1EA35590CC660

Function 00851BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00851C46

Strings

ListBox, xrefs: 00851C10
ComboBox, xrefs: 00851BE5

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0fd4c55310953c98644795e044436b8721de4e35f56390f700acb33d4e209b5d
Instruction ID: ef37cf6cc3e1bd1e136ffe1e1a1d23f8617009b4ab4f282bb4bfec502b835b29
Opcode Fuzzy Hash: 0fd4c55310953c98644795e044436b8721de4e35f56390f700acb33d4e209b5d
Instruction Fuzzy Hash: 03016775681108A6CF14EBA4C959BFF77A8FF15381F140019EE16F7381EA259E0CD6B1

Function 00851C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00851CC8

Strings

ListBox, xrefs: 00851C94
ComboBox, xrefs: 00851C69

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2abc60e30966918f01ac80cced5ed514f2023b4829785ae7e69e8a6559f76a4e
Instruction ID: 84ba72159855204ed2034d4bbd321d966f624421f471cb8e1fad610ced1fc7da
Opcode Fuzzy Hash: 2abc60e30966918f01ac80cced5ed514f2023b4829785ae7e69e8a6559f76a4e
Instruction Fuzzy Hash: 87016275681118A6CF14EBA5CA19BFE77A8FB11381B540015BD12F3381EA669F0CC672

Function 00851D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007F9CB3: _wcslen.LIBCMT ref: 007F9CBD

Part of subcall function 00853CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00853CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00851DD3

Strings

ListBox, xrefs: 00851DA0
ComboBox, xrefs: 00851D75

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: eb216f73e366a177545b8e63573e0f338ecfd96f9220a3e3ebe0174a1b1f8b1c
Instruction ID: eac1247ec5bac25d9a58f40443805adbc6fd3d26cbd713e36d9121360d18dce0
Opcode Fuzzy Hash: eb216f73e366a177545b8e63573e0f338ecfd96f9220a3e3ebe0174a1b1f8b1c
Instruction Fuzzy Hash: 68F0A471A4121CA6DB04EBA8CC5ABFE7778FB01395F040919FE22E33C1EA74590C8271

Function 0087747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00877493
_wcslen.LIBCMT ref: 008774B9

Strings

3, 3, 16, 1, xrefs: 00877483

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: a0d0ab9174f11b63c0b8c8e9caf1925d72c36c7a2d6e64c7797ed3e093dd0090
Instruction ID: 01ea6ce1ef53da4954770919cca8805d333075205062985981715cb04f6882b1
Opcode Fuzzy Hash: a0d0ab9174f11b63c0b8c8e9caf1925d72c36c7a2d6e64c7797ed3e093dd0090
Instruction Fuzzy Hash: 7FE02B02204320109231127EACC19BF5ACDFFC9750714282BF989C237EEA94CDD1D3A6

Function 00850B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00850B23

Strings

Error allocating memory., xrefs: 00850B1C
AutoIt, xrefs: 00850B17

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: f37ff43bd0b8b27c396f93ddd9b36bb9b72b7ea5bbeecfd8ccd747c15e80fbee
Instruction ID: f54817c7b64f4a8f5c63581d5476a24036c737218e93c6cf73b62384904af051
Opcode Fuzzy Hash: f37ff43bd0b8b27c396f93ddd9b36bb9b72b7ea5bbeecfd8ccd747c15e80fbee
Instruction Fuzzy Hash: 7BE0D8312443082AD22037987C03FC97A84FF05B61F104466FBA8D96C38BF1249007FA

Function 00810D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0080F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00810D71,?,?,?,007F100A), ref: 0080F7CE

IsDebuggerPresent.KERNEL32(?,?,?,007F100A), ref: 00810D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007F100A), ref: 00810D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00810D7F

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: e21e6ab492ec79173fb1ae4f7970fb96bd29fe936b0b92c47cab188196241f71
Instruction ID: 1aead0d23c77495e52d104d45b075747418c9f8c9dd12d51977b84a5028d5600
Opcode Fuzzy Hash: e21e6ab492ec79173fb1ae4f7970fb96bd29fe936b0b92c47cab188196241f71
Instruction Fuzzy Hash: 42E0C0B42007518BD7609FBCE8446567BE4FF04744F004A2DE595C6756DBB5E4848BA2

Function 00863017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0086302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00863044

Strings

aut, xrefs: 00863038

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 0ac2a20b41d99551010e28e77a73e48a93ab8815f4d711741c81e7e09bd5481a
Instruction ID: ee83fccd7c0ac80ed323d60a59257342b2b91496b87d425756380cedfe0b33d3
Opcode Fuzzy Hash: 0ac2a20b41d99551010e28e77a73e48a93ab8815f4d711741c81e7e09bd5481a
Instruction Fuzzy Hash: B7D05E7254032867DA20A7A8AC0EFCB3B6CEB04750F0002A1B655E21D5EBB49984CBE0

Function 00882322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0088232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0088233F

Part of subcall function 0085E97B: Sleep.KERNEL32 ref: 0085E9F3

Strings

Shell_TrayWnd, xrefs: 00882325

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 1af4afdfa431fcf17f7b3e111cc923c709c38ff159d244293297dd3c64d06d12
Instruction ID: eeb96cc6ab77fccb82757bd9af52dda79b2001e44dbbec4eca50142744b51f12
Opcode Fuzzy Hash: 1af4afdfa431fcf17f7b3e111cc923c709c38ff159d244293297dd3c64d06d12
Instruction Fuzzy Hash: 5DD0A932380300B6E6A8A7349C0FFC66A04BB00B00F004A167605EA2D4D8B4A80A8B24

Function 00882356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0088236C
PostMessageW.USER32(00000000), ref: 00882373

Part of subcall function 0085E97B: Sleep.KERNEL32 ref: 0085E9F3

Strings

Shell_TrayWnd, xrefs: 00882365

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c0ce27ba8e2818907773232d31369efa34e00dd94df0080d92167f894a27a09a
Instruction ID: d70a1e2440abaddf6b5f008d5561a5f815bedcbec42aa6fb92ec5056fe213c32
Opcode Fuzzy Hash: c0ce27ba8e2818907773232d31369efa34e00dd94df0080d92167f894a27a09a
Instruction Fuzzy Hash: 59D0A9323C03007AE6A8A7349C0FFC66A04BB00B00F004A167601EA2D4D8B4A80A8B28

Function 0082BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0082BE93
GetLastError.KERNEL32 ref: 0082BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0082BEFC

Memory Dump Source

Source File: 00000000.00000002.1424067634.00000000007F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007F0000, based on PE: true

Associated: 00000000.00000002.1423985056.00000000007F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.000000000088C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424239924.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424334810.00000000008BC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1424408006.00000000008C4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f0000_file.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 866e807e97f00d13cd17c595fc94a7b6718cc4b9b3daff4c8b82e9f5883250e8
Instruction ID: a7c099ef020750b6a203739bcb3f603a430bea66324746268d8eb1d9c93b8486
Opcode Fuzzy Hash: 866e807e97f00d13cd17c595fc94a7b6718cc4b9b3daff4c8b82e9f5883250e8
Instruction Fuzzy Hash: AE412A35602226AFCF218F69ED44ABA7BA5FF41320F154169F959D72A1DF308C80CB61

Source: Joe Sandbox View	IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View	IP Address: 151.101.129.91 151.101.129.91
Source: Joe Sandbox View	IP Address: 34.117.188.166 34.117.188.166

Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: /Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache

Source: firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1451391317.000002C548A94000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1455736004.000002C548A96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1533217776.000002C548A4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1474472853.000002C554686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1439493745.000002C549E98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543576017.000002C54C1CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1521541462.000002C54C1CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1439493745.000002C549E98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543576017.000002C54C1CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1521541462.000002C54C1CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1474472853.000002C554686000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1439493745.000002C549E98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543576017.000002C54C1CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1439493745.000002C549E98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1543576017.000002C54C1CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000012.00000002.3190729646.000002958CD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3191456316.000001F61870C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000012.00000002.3190729646.000002958CD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3191456316.000001F61870C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000012.00000002.3190729646.000002958CD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000013.00000002.3191456316.000001F61870C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000013.00000002.3191456316.000001F61870C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/& equals www.facebook.com (Facebook)
Source: firefox.exe, 00000013.00000002.3191456316.000001F61870C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/& equals www.twitter.com (Twitter)
Source: firefox.exe, 00000013.00000002.3191456316.000001F61870C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/& equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1533217776.000002C548A4C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moz-extension://7d71fa77-151c-427a-99c7-e68aa2a1f821/injections/js/bug1842437-www.youtube.com-performance-now-precision.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1474472853.000002C554686000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1474472853.000002C554694000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000E.00000003.1557201192.000002C549D2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1474472853.000002C554694000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1573217103.000002C5546BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1550369713.000002C5546AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1529796538.000022CA00804000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000E.00000003.1555190519.000002C54A0BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1423862623.000002C549683000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000000E.00000003.1563742869.000002C54A0BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: youtube.com
Source: global traffic	DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic	DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic	DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: example.org
Source: global traffic	DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic	DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic	DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic	DNS traffic detected: DNS query: www.youtube.com
Source: global traffic	DNS traffic detected: DNS query: www.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic	DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic	DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic	DNS traffic detected: DNS query: www.reddit.com
Source: global traffic	DNS traffic detected: DNS query: twitter.com
Source: global traffic	DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic	DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic	DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com

Source: file.exe	Virustotal: Detection: 29%			Perma Link
Source: file.exe	ReversingLabs: Detection: 31%

Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.11:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.11:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.11:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49841 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.11:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.11:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49918 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49921 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49919 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.11:49917 version: TLS 1.2

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_011744ec-992f-442b-98a4-a3cd771e5be8.json (copy)

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_011744ec-992f-442b-98a4-a3cd771e5be8.json.tmp

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

C:\Users\user\AppData\Local\Temp\tmpaddon

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0CK3ZX5QEJI8AM4NZCUM.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\40371339ad31a7e6.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N9NPE5070IPQD65O732N.temp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\ExperimentStoreData.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\ExperimentStoreData.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addonStartup.json.lz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addonStartup.json.lz4.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addons.json (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\addons.json.tmp

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\content-prefs.sqlite

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\crashes\store.json.mozlz4 (copy)

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\crashes\store.json.mozlz4.tmp

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre